Not worked with ECR actions

[Surgo]

After ECR login action, can pull and push images from ECR repository on run docker command directly.
Maybe it required to support local ~/.docker/config.json
But cannot pull and push on docker/build-push-action caused by no basic auth credentials error.
My workflow is

  build_and_push_image:
    name: Build and push docker image to ECR.
    runs-on: ubuntu-latest
    steps:
      - name: Check out
        uses: actions/checkout@v2
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: **********
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1
      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Pull from ECR (pull test)
        run: docker pull ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}:latest
      - name: Debug auth (pull test)
        run: cat ~/.docker/config.json
      - name: Build & Push
        uses: docker/build-push-action@v1
        with:
          repository: ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}
          add_git_labels: true
          tag_with_ref: true
      - name: Logout of Amazon ECR
        if: always()
        run: docker logout ${{ steps.login-ecr.outputs.registry }}

Successfully pull on command line: Pull from ECR (pull test)

Pull from ECR (pull test)6s
***.dkr.ecr.us-east-1.amazonaws.com/***:latest

...

18ebb058d5da: Pull complete
Digest: sha256:ac4754ea1154010603db8d7cbe07bb1a33954e59b088efab46445c69d8b0fc58
Status: Downloaded newer image for ***.dkr.ecr.us-east-1.amazonaws.com/***:latest
***.dkr.ecr.us-east-1.amazonaws.com/***:latest

Logged in to ECR: Debug auth (pull test)

Run cat ~/.docker/config.json
{
	"auths": {
		"***.dkr.ecr.us-east-1.amazonaws.com": {
			"auth": "***"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/3.0.11+azure (linux)"
	}
}

Failed to push or pull on docker/build-push-action@v1

...

Successfully built a60891a407a2
Successfully tagged ***.dkr.ecr.us-east-1.amazonaws.com/***:topic-use_original_docker_actions
Pushing image [***.dkr.ecr.us-east-1.amazonaws.com/***:topic-use_original_docker_actions]
The push refers to repository [***.dkr.ecr.us-east-1.amazonaws.com/***]
no basic auth credentials
Error: exit status 1
Usage:
  github-actions build-push [flags]

Flags:
  -h, --help   help for build-push

exit status 1

[zappy-shu]

Hi @Surgo the action uses a separate registry input to set a different registry than docker hub.

Could you try changing the build-push-action inputs to something like:

          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ secrets.REGISTRY }}
          add_git_labels: true
          tag_with_ref: true

[nebuk89]

Hey @Surgo did this work for you?

[zjye-idealhub]

tried with similar workflow, it still returning

no basic auth credentials Error: exit status 1

[Surgo]

@zappy-shu @nebuk89 That does not worked for me :(

[Surgo]

It's my temporary solution.

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Get ECR password (temporary)
        id: get-ecr-password
        run: echo "::set-output name=password::$(aws ecr get-login-password)"
      - name: Build & Push image
        uses: docker/build-push-action@v1
        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ secrets.REGISTRY }}
          username: AWS  # temporary
          password: ${{ steps.get-ecr-password.outputs.password }}  # temporary
          add_git_labels: true
          tag_with_ref: true

[belinde]

Any news about this issue? I'm having the same problem

[netphantom]

Following what @Surgo suggested, by separating registry from the repository I managed to avoid the no basic auth credentials

My GH-action look like this

        uses: docker/build-push-action@v1
        with:
          dockerfile: ./docker/dockerfile
          repository: ${{ github.repository }}/myrepo
          tags: latest
          username: ${{ github.ref }}
          password: ${{ secrets.GH_TOKEN }}
          registry: docker.pkg.github.com

[caligin]

+1 on the issue - I'm having an analogous problem with digitalocean's container registry: this configuration doesn't work (nor variants with dummy credentials do):

jobs:
  build-publish-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Install doctl
      uses: digitalocean/action-doctl@v2
      with:
        token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
    - name: login to registry
      run: doctl registry login
    - name: Push
      uses: docker/build-push-action@v1
      with:
        repository: my/test-registry
        registry: registry.digitalocean.com
        tag_with_ref: true
        tag_with_sha: true
        add_git_labels: true

login succeeds in its own step, then build-push-action doesn't pick up the existing login.
while, analogous to suggested workarounds, this works:

jobs:
  build-publish-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Install doctl
      uses: digitalocean/action-doctl@v2
      with:
        token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
    - name: login to registry
      id: do-registry
      run: "echo \"::set-output name=password::$(doctl registry docker-config --read-write --expiry-seconds 3600 | jq -r '.auths[\"registry.digitalocean.com\"].auth' | base64 -d | cut -d: -f 1)\""
    - name: is jq even here
      run: echo '{"a":1}' | jq .
    - name: Push
      uses: docker/build-push-action@v1
      with:
        repository: my/test-registry
        registry: registry.digitalocean.com
        username: ${{ steps.do-registry.outputs.password }}
        password: ${{ steps.do-registry.outputs.password }}
        tag_with_ref: true
        tag_with_sha: true
        add_git_labels: true

yes, this has nothing do to with ECR - but to me it looks like the same underlying problem of not picking up existing logins.
(ofc please lmk if I'm completely mistaken and this is out of place in this issue)

[negebauer]

Thanks @Surgo, I'm using your workaround for now.
I agree with @caligin it does seem to be a problem of not using the available login. Running the aws-actions/amazon-ecr-login should make the docker login available to this action as you can see from the usage of it https://github.com/aws-actions/amazon-ecr-login#usage, it doesn't use docker login in the next step.

[ayozemr]

any official comments on this?

[FlorinAsavoaie]

Here's a slightly improved version of the workaround. It fixes:

• Avoid possible leaks of the key
• Fails the step if the login fails

- name: Login to ECR
  env:
    AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
    AWS_REGION: ${{ secrets.AWS_REGION }}
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  id: get-ecr-password
  run: |
    aws ecr get-login-password \
    | {
      read PASSWORD
      echo "::add-mask::$PASSWORD"
      echo "::set-output name=password::$PASSWORD"
    }

[crazy-max]

@Surgo You should be able to use the ECR action with our future build-push-action v2 (#92). Can you try it?
You can also use the login-action which works perfectly for ECR (both for AWS CLI v1 and v2 on the ubuntu-20.04 GitHub runner).

[Surgo]

@crazy-max Works fine for me ☺️
Thank you for your support!

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
      - name: Build & Push image
        uses: docker/build-push-action@v2-build-push
        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}
          add_git_labels: true
          tag_with_ref: true

📣 Buildx version: 0.4.2
🏃 Starting build...
/usr/bin/docker buildx build --iidfile /tmp/docker-build-push-dIdwjV/iidfile --file ./Dockerfile .
time="2020-09-03T10:35:10Z" level=warning msg="invalid non-bool value for BUILDX_NO_DEFAULT_LOAD: "
#2 [internal] load build definition from Dockerfile
#2 transferring dockerfile: 1.82kB 0.0s done
#2 DONE 0.0s

#1 [internal] load .dockerignore
#1 transferring context: 109B done
#1 DONE 0.0s

#3 [internal] load metadata for ***.dkr.ecr.us-east-1.amazonaws.co...
#3 DONE 0.3s
...

#19 exporting to image
#19 exporting layers
#19 exporting layers 8.3s done
#19 writing image sha256:dfe7204a70239a95a8ce761af1bb4a5ea306edb6466cd7011a1ec136e021c8d2 done
#19 DONE 8.3s
🛒 Extracting digest...
sha256:dfe7204a70239a95a8ce761af1bb4a5ea306edb6466cd7011a1ec136e021c8d2

(BTW: #2 -> #1 🤔 )

I'll close this issue when v2 released.

[crazy-max]

@Surgo

        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ steps.login-ecr.outputs.registry }}/${{ secrets.REGISTRY }}
          add_git_labels: true
          tag_with_ref: true

Be careful, inputs have changed in v2. See Usage section and also this workflow as an example.

Works fine for me

Great!

[Surgo]

v2 released 🎉

[michaelhelmick]

A full example with ECR would be great! I've tried both:

- name: Login to ECR
   uses: docker/login-action@v1
   with:
          registry: 000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Set up Docker Buildx
   uses: docker/setup-buildx-action@v1

- name: Cache Docker layers
   uses: actions/cache@v2
   with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

- name: Build & Push image
   uses: docker/build-push-action@v2
   env:
          DOCKER_BUILDKIT: 1
   with:
          context: .
          file: ./Dockerfile
          push: true
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          tags: |
            repo:${{ github.sha }}
            repo:latest

and

- name: Build & Push image
   uses: docker/build-push-action@v2
   env:
          DOCKER_BUILDKIT: 1
   with:
          context: .
          file: ./Dockerfile
          push: true
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          tags: |
            000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:${{ github.sha }}
            000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:latest

First gave me a 401 Unauthorized and the second gave me insufficient_scope: authorization failed at the end of the docker image building (all layers completed).

[crazy-max]

@michaelhelmick See #126 (comment)

[michaelhelmick]

@michaelhelmick See #126 (comment)

Let me know if you'd like me to bring conversation there vs here (but I think this is explicitly referring to ECR so it might fit either?)

Updated setup to use

- name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
        with:
          driver-opts: image=moby/buildkit:master

Still no dice.

Same errors.

I tried with the full registry for a tag and this is the more explicit error message

#28 ERROR: unexpected status: 401 Unauthorized
1301
------
1302
 > exporting to image:
1303
------
1304
failed to solve: rpc error: code = Unknown desc = unexpected status: 401 Unauthorized
1305
Error: The process '/usr/bin/docker' failed with exit code 1

[crazy-max]

@michaelhelmick Can you open a new issue about this please with all relevant info for a bug report? Thanks.

[dfluff]

I haven't been able to get this to work for me. I'm trying to use ECR as the cache repo of my multi-stage docker build. I'm not doing a push to the repo in this step, that happens later (..although I could change that if it makes it easier).
I've been trying to use snippets from this thread as a guide but with no luck. I tried the following:

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Docker build using docker build layer cacheing
        uses: docker/build-push-action@v2
        env:
          DOCKER_BUILDKIT: 1
        with:
          registry: ${{ steps.login-ecr.outputs.registry }}
          repository: ${{ steps.login-ecr.outputs.registry }}/myproject-frontend
          context: .
          push: false
          build-args: |
            BUILD_APP_VERSION=${{ env.RELEASE_VERSION }}
          tags: |
            myproject-frontend:latest
            myproject-frontend:${{ env.RELEASE_VERSION }}
          cache-from: type=registry,ref=myproject-frontend:buildcache
          cache-to: type=registry,ref=myproject-frontend:buildcache,mode=max

This gave me the error Unexpected input(s) 'registry', 'repository', valid inputs are [<lotsofthings>] and ultimately a 401: authorization failed error.

Going by the error and since I couldn't find mention of the registry or repository in the documentation for the docker/build-push-action@v2 action, I removed those inputs and tried moving them to the cache-to/from parameters instead, like so:

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Docker build using docker build layer cacheing
        uses: docker/build-push-action@v2
        env:
          DOCKER_BUILDKIT: 1
        with:
          context: .
          push: false
          build-args: |
            BUILD_APP_VERSION=${{ env.RELEASE_VERSION }}
          tags: |
            myproject-frontend:latest
            myproject-frontend:${{ env.RELEASE_VERSION }}
          cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/myproject-frontend:buildcache
          cache-to: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/myproject-frontend:buildcache,mode=max

This gave me a 400 bad request error: buildx failed with: error: failed to solve: error writing manifest blob: failed commit on ref "sha256:66ce855480d97b26457d6639cd3542ee6d8b0959e81d372111829f3aedd31a6e": unexpected status: 400 Bad Request

I've not been able to find any other documentation/examples of how to use ECR for the build cache. Can someone point me to where I'm going wrong?

[HellGilo]

hitting the same issue with ECR as cache target, @dfluff did you manage to make it work in the end?

[dfluff]

hitting the same issue with ECR as cache target, @dfluff did you manage to make it work in the end?

Sorry, I didn't manage to find a solution to this yet @HellGilo

[stalkerg]

@HellGilo ECR just does not support it aws/containers-roadmap#876

[gdsmith]

For anyone trying to get type=registry cache working with ECR the following config worked for me:

cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/myproject-frontend:buildcache
cache-to: type=registry,mode=max,image-manifest=true,ref=${{ steps.login-ecr.outputs.registry }}/myproject-frontend:buildcache

The key being the image-manifest=true which I found info about here but couldn't find documented anywhere.