Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(assets): docker login clashes with ecr-login #32925

Open
1 task
SamStephens opened this issue Jan 14, 2025 · 7 comments
Open
1 task

(assets): docker login clashes with ecr-login #32925

SamStephens opened this issue Jan 14, 2025 · 7 comments
Labels
@aws-cdk/assets Related to the @aws-cdk/assets package bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@SamStephens
Copy link
Contributor

SamStephens commented Jan 14, 2025

Describe the bug

This is a reopening of #14265, which was closed for inactivity. However, allowing usage of https://github.com/awslabs/amazon-ecr-credential-helper has become substantially more urgent because ECR have recently made a change to increase the length of tokens beyond the size that the Windows credential manager can store, 2500 characters. This is completely breaking for Windows users of Docker with ECR, and as amazon-ecr-credential-helper does not work with CDK and https://github.com/dougrday/docker-credential-plaintext did not work for me, Windows users are left with no option other than to code their own credential manager (or patch amazon-ecr-credential-helper to behave as though AWS_ECR_IGNORE_CREDS_STORAGE=true were set).

The only reason I'm not completely blocked by this is because I have an EC2 Ubuntu machine configured that I can use to do my CDK deploys.

See aws/aws-cli#5636 and aws/containers-roadmap#1589 for context.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Either to be able to use amazon-ecr-credential-helper with CDK, or for ECR tokens to comply with the 2,500 character limit Windows Credential Manager imposes.

Current Behavior

No way to use CDK Docker on Windows.

The actual issue I face is that when I try and use amazon-ecr-credential-helper, I need to set AWS_ECR_IGNORE_CREDS_STORAGE=true, as CDK expects to be able to use docker login with the credentials it receives. However when I call the CDK CLI with that environment variable set, I still see the Error saving credentials: error storing credentials - err: exit status 1, out: not implemented` error from Docker, indicating that however CDK invokes Docker, that environment variable is presumably not passed through.

Reproduction Steps

Perform any deploy involving Docker on Windows.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

n/a

Framework Version

No response

Node.js Version

n/a

OS

Windows and WSL

Language

Python, TypeScript, Java, .NET, Go

Language Version

No response

Other information

No response

@SamStephens SamStephens added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2025
@github-actions github-actions bot added the @aws-cdk/assets Related to the @aws-cdk/assets package label Jan 14, 2025
@khushail khushail self-assigned this Jan 15, 2025
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. p2 p1 and removed needs-triage This issue or PR still needs to be triaged. p2 labels Jan 15, 2025
@khushail
Copy link
Contributor

@SamStephens , Thanks for reporting this.CDK Team is aware of the issue. Apparently the issue was caused by ECR team's code change and they are working on a fix right now. Will share more updates as we get them.

@khushail khushail removed their assignment Jan 15, 2025
@khushail khushail added effort/medium Medium work item – several days of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Jan 15, 2025
@gioruf-rslabs
Copy link

Hi,
This is affecting our CI/CD pipelines that, unfortunately, have to run on windows.
That said, we found an extremely weird workaround.
@SamStephens, if you pass the docker password using the stdin (even on powershell) it works:

aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.eu-west-1.amazonaws.com

While

docker login --username AWS --password "LONG ECR TOKEN"

returns:

Error saving credentials: error storing credentials - err: exit status 1, out: `error storing credentials - err: exit status 1, out: `The stub received bad data.``

As I said, extremely weird, but "Windows works in mysterious ways".

@gioruf-rslabs
Copy link

It gets better, the length of the token seems to be quite inconsistent:

Image

Probably some of the nodes are still on the old, non-buggy version, or they are rolling out the fix as I am writing.

@jlouros
Copy link

jlouros commented Jan 15, 2025

Also getting the same issue on my CI pipelines and locally.

aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 597747411843.dkr.ecr.eu-west-1.amazonaws.com throws Error saving credentials: error storing credentials - err: exit status 1, out: error storing credentials - err: exit status 1, out: The stub received bad data.``

@khushail
Copy link
Contributor

Thanks for having patience. Using IAM User credentials when calling ECR's GetAuthorizationToken API results in a shorter token size, which may be a potential workaround. Mitigation is currently in progress.

@SamStephens
Copy link
Contributor Author

SamStephens commented Jan 19, 2025

@khushail it looks like the token length issue has been resolved: aws/aws-cli#5636 (comment). I've confirmed I'm now able to build and deploy docker images using CDK.

Of course, this doesn't change the fact that amazon-ecr-credential-helper cannot be used with the CDK, and it would be good if it could be used with it.

@khushail
Copy link
Contributor

Thanks for sharing the update @SamStephens . Since this is still an issue from CDK Side, keeping this issue open for action by the team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/assets Related to the @aws-cdk/assets package bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Development

No branches or pull requests

4 participants