Helper returns success code + empty credential list on network error
gondalez opened this issue · comments
tris commented
Problem
When a network request fails, the helper returns an empty result.
This causes docker in turn to fail with a no basic auth credentials
error.
Expected
Network error.
Helper returns a nonzero status code and a helpful error message to indicate to docker/user there was an error.
Actual
Network error.
Helper returns 0
(success) and empty result {}
.
Repro Steps
Successful login (network enabled)
Status code is 0 as expected:
~ [master●] » docker-credential-ecr-login list
{"https://029672914754.dkr.ecr.us-west-2.amazonaws.com":"AWS","https://324969534254.dkr.ecr.us-west-2.amazonaws.com":"AWS"}
~ [master●] » echo $?
0 # ✅
~/.ecr/log/ecr-login.log
time="2023-02-01T17:06:23+08:00" level=debug msg="Listing credentials"
time="2023-02-01T17:06:25+08:00" level=debug msg="Checking file cache" registry=
time="2023-02-01T17:06:25+08:00" level=debug msg="Calling ECR.GetAuthorizationToken for default registry"
time="2023-02-01T17:06:26+08:00" level=debug msg="Saving credentials to file cache" registry=<snip> service=ecr
time="2023-02-01T17:06:26+08:00" level=debug msg="Checking file cache for ECR Public"
time="2023-02-01T17:06:27+08:00" level=debug msg="couldn't get authorization token for public registry" error="ecr: failed to get authorization token: operation error ECR PUBLIC: GetAuthorizationToken, https response error StatusCode: 400, RequestID: <snip>, api error AccessDeniedException: User: arn:aws:sts::<snip>:assumed-role/<snip> is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action"
Failed login (network disabled)
Turn off wifi and unplug network cable 😄
Status code expected to be nonzero but is zero:
~ [master●] » docker-credential-ecr-login list
{}
~ [master●] » echo $?
0 # ❗️🐞
~/.ecr/log/ecr-login.log
time="2023-02-01T17:10:28+08:00" level=debug msg="Listing credentials"
time="2023-02-01T17:10:31+08:00" level=debug msg="Could not fetch credentials for cache prefix, disabling cache" error="operation error SSO: GetRoleCredentials, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Get \"https://portal.sso.us-west-2.amazonaws.com/federation/credentials?account_id=029672914754&role_name=LocalDevelopment\": dial tcp: lookup portal.sso.us-west-2.amazonaws.com on [::1]:53: read udp [::1]:59700->[::1]:53: read: connection refused"
Note
I suspect this happens for invalid requests (4xx) as well as network errors, but I have no proof of that at this time.