Jib: ECR authentication 401 error

Hi @mboldysh. Can you confirm that you've installed and configured the ECR docker credential helper?

https://github.com/awslabs/amazon-ecr-credential-helper

To verify that it is working, please then try something like:

$ echo https://555818183070.dkr.ecr.us-east-2.amazonaws.com/jib-demo | docker-credential-ecr-login
{
  "Username": "xxx",
  "Secret": "yazzz"
}

Hi @briandealwis. As I understand there are two opportunities for login to ECR which described here - https://github.com/GoogleContainerTools/jib/tree/master/jib-gradle-plugin#authentication-methods. I want to use the second approach - "Using Specific Credentials" which as I understand doesn't require any credential helpers, but only username and password, is it correct?

You are correct that you won't need a credential helper if you provide to.auth.username and to.auth.passowrd.

As I understand this could be an issue with http/https proxy. In documentation I found this section - https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#how-do-i-configure-a-proxy, but I didn't find how exactly build command should look like in my simple case to fix this issue. Could you please create some example how to do it?

Unclear if a proxy is related to this issue, but anyways, I believe you can put them in gradle.properties (untested).

systemProp.http.proxyHost=our.corp.proxy.com
systemProp.http.proxyPort=3128
systemProp.http.proxyUser=user               # if needed
systemProp.http.proxyPassword=password       # if needed
systemProp.http.nonProxyHosts=...            # if desired
systemProp.https.proxyHost=our.corp.proxy.com
systemProp.https.proxyPort=3128              # usually same as HTTP-request proxy
systemProp.https.proxyUser=user              # if needed
systemProp.https.proxyPassword=password      # if needed

Hi @chanseokoh I saw this config in other issues but I'm a bit confused which proxy host and port I should paste into it. Is port should be 3128 or it's just an example port which should be replaced and which host I should use? Should it contain only registryAddress or registryAddress/imageName?

I tried this config:

systemProp.http.proxyHost=555818183070.dkr.ecr.us-east-2.amazonaws.com
systemProp.http.proxyPort=3128
systemProp.http.proxyUser=myusername
systemProp.http.proxyPassword=mypass
systemProp.http.nonProxyHosts=*.internal.com|localhost|127.0.0.1
systemProp.https.proxyHost=555818183070.dkr.ecr.us-east-2.amazonaws.com
systemProp.https.proxyPort=3128
systemProp.https.proxyUser=myusername
systemProp.https.proxyPassword=mypass
systemProp.https.nonProxyHosts=*.internal.com|localhost|127.0.0.1

But build failed with timeout:

Execution failed for task ':jib'.
> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Connect to 555818183070.dkr.ecr.us-east-2.amazonaws.com/18.217.159.96:3128 timed out

Oops! Missed that you specified the auth block.

Are you sure you're behind a proxy? Are you using the user and password provided by the aws ecr get-login command? Can you use docker push and docker pull?

https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-basics.html#use-ecr

systemProp.http.proxyHost=555818183070.dkr.ecr.us-east-2.amazonaws.com

Is port should be 3128

From what you did and said, I wonder if you've got a wrong idea with proxy here. 555818183070.dkr.ecr.us-east-2.amazonaws.com doesn't look like it's your proxy but an actual target registry (ECR, that is) where you want to push your images. Certainly it doesn't make sense to set http.ProxyHost to that. That said, as @briandealwis said, I'm not sure if you are behind a proxy in your organization. It seems likely you are not providing correct username/password. Does you password have a special character?

Yes, I misunderstood the idea of proxy here. This is exactly not what I looking for. @briandealwis @chanseokoh you were right the problem was with credentials. Instead of using credentials provided by 'aws ecr get-login --no-include-email' I was using user credentials. Thank you for help!
The gradle.build version which work for me looks like this:

plugins {
    id 'org.springframework.boot' version '2.1.3.RELEASE'
    id 'java'
    id 'com.google.cloud.tools.jib' version '1.0.2'
}

apply plugin: 'io.spring.dependency-management'

group = 'jib.example'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '1.8'

jib {
  to {
    image = '555818183070.dkr.ecr.us-east-2.amazonaws.com/jib-demo'
    auth {
      username = 'AWS'
      password = 'aws ecr get-login --no-include-email --region us-east-2'.execute().text.split(" ")[5]
    }
  }
}

repositories {
    mavenCentral()
}

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

Also, as the information that for login to ECR we should use a password from 'aws ecr get-login --no-include-email' is not present in jib README file maybe it's something that can be improved.

Thanks!

@mboldysh if you install and configure the docker-credential-ecr-login helper then you can get rid of auth section entirely: Jib will call out to it automagically to obtain the required credentials. Since you're already using the aws command line, it should just work as I believe it just calls out to aws ecr get-login.

@briandealwis yes I can do it, but I don't see any reason to install one more tool just to login to ECR instead of just write username and password in my build.gradle file. Actually, write username and password looks even simpler for me. Also, I believe docker-credential-ecr-login it's a helper for a docker daemon, so that docker is required in this case while setting up credentials in build.gradle allows build and push images without docker.

Generally I believe the recommendation is against including credentials as part of your source. On top of that docker is not usually required to use the credential helpers. I would at least give it a try.

@loosebazooka Yes, including credentials as part of source code is not a good idea, but it's easy to avoid it by specifying a password as 'gcloud auth print-access-token'.execute().text.trim() for GCR and as 'aws ecr get-login --no-include-email --region us-east-2'.execute().text.split(" ")[5] for ECR. And my point is, this single line just replace a helper tool which I should install and configure.

Ah okay, my fault, I misunderstood the comment. Carry on.