Incorrect user being picked for ecr login - not authorized - support of profiles on aws credentials

[javapapo]

OS: MacOSX 10.14.5

aws --version
aws-cli/1.16.160 Python/3.7.3 Darwin/18.6.0 botocore/1.12.150

docker-credential-ecr-login --v
amazon-ecr-credential-helper
Version:    0.3.0
Git commit: 798bf25

docker --version
Docker version 19.03.0-beta3, build c55e026

I have my ~/.aws/credentials populated with different profiles (corp multi use account)
Example :

[sandbox-Ops]
aws_access_key_id     = XXXX
aws_secret_access_key = XXXX
aws_session_token     = XXXX

[prod-Ops-Techops]
aws_access_key_id     = XXX
aws_secret_access_key = XXX
aws_session_token     = XXX

cat ~/.docker/config.json
{
	"credsStore": "ecr-login"
}

I am trying to pull and I get this

pull access denied for xxxxx.dkr.ecr.eu-west-1.amazonaws.com/xxxxx, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::xxxxx:user/javapapo-cli is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-1:xxxxxx:repository/xxxx

How come is picking this user?

arn:aws:iam::xxxxx:user/javapapo-cli 

[samuelkarp]

Hey @javapapo,

It's not clear from your report which user is being used. Did you want the credential helper to use one of the named profiles in your ~/.aws/credentials file?

If you don't specify credentials, the credential helper will attempt to locate credentials in an order similar to this:

• Environment variables
• Credentials file (and shared config file, if enabled)
• Container credentials endpoint (when running in ECS)
• Instance metadata credentials endpoint (when running in EC2)

This should be largely similar to the order used by other tools, like the AWS CLI.

Sam

[javapapo]

Hello @samuelkarp

Thanks for your comment. So I think I can see what is happening.

1. I do have a properly populated ~/.aws/credentials, that contains many different profiles.
   The credential-helper is picking the [default]` profile (this was my personal AWS account, while in the same file I have 10 more corp profiles.

2. I have deleted and repopulated my credentials file , and now it contains only my corp profiles

[sandbox-Ops]
aws_access_key_id     = XXXX
aws_secret_access_key = XXXX
aws_session_token     = XXXX

[prod-Ops-Techops]
aws_access_key_id     = XXX
aws_secret_access_key = XXX
aws_session_token     = XXX

There is no [default] one currently - so I think the credentials helper does not pick one or it picks randomly something?

is there any any case to support --profile as a parameter to the utility? Like we do with the aws-cli?

$(aws ecr get-login --no-include-email --region eu-west-1 --profile prod-Ops-Techops --registry-id xxxxxxxxx)

[samuelkarp]

Yes, the credential helper does support profiles.

If you have multiple accounts configured in ~/.aws/credentials (with credentials) you can do AWS_PROFILE=myprofile docker pull. If you have multiple accounts configured in ~/.aws/config with a role_arn and source_profile set up or a credential_process, you can do AWS_SDK_LOAD_CONFIG=true AWS_PROFILE=myprofile docker pull.

It's probably worth adding to the README and man page; let me know if you'd like to make this contribution.

[samuelkarp]

Hi @javapapo. We haven't heard back from you in a while, and I've updated the README to include more information about the AWS_PROFILE and AWS_SDK_LOAD_CONFIG environment variables. I'm closing this issue, but if you continue to experience problems please feel free to open a new one.

[dinvlad]

It looks like credential_process is not supported after all: if it's configured, ecr-login hangs with a fully loaded CPU, until it times out. I was using credential_process with "regular" aws commands, but for ecr-login, I had to switch back to .aws/credentials instead.

[samuelkarp]

@dinvlad Can you open a new issue with details of the problem you're encountering? I use the credential helper with credential_process on a regular basis and would like to help debug this.

[mkaschke]

Is there a solution for it? I am running into the same issue. I have multiple accounts in the credentials.

[samuelkarp]

Is there a solution for it? I am running into the same issue. I have multiple accounts in the credentials.

@mkaschke Please open a new issue with details of the problem you're running into. Thanks!

I'm locking this issue. If anyone in the future is running into problems, please open a new issue to describe the problems you're encountering.