Giters

awslabs / amazon-ecr-credential-helper

Automatically gets credentials for Amazon ECR on docker push/docker pull

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Helper returns success code + empty credential list on network error

gondalez opened this issue · comments

commented

Problem

When a network request fails, the helper returns an empty result.
This causes docker in turn to fail with a no basic auth credentials error.

Expected

Network error.
Helper returns a nonzero status code and a helpful error message to indicate to docker/user there was an error.

Actual

Network error.
Helper returns 0 (success) and empty result {}.

Repro Steps

Successful login (network enabled)

Status code is 0 as expected:

~ [master●] » docker-credential-ecr-login list
{"https://029672914754.dkr.ecr.us-west-2.amazonaws.com":"AWS","https://324969534254.dkr.ecr.us-west-2.amazonaws.com":"AWS"}
~ [master●] » echo $?
0 # ✅

~/.ecr/log/ecr-login.log

time="2023-02-01T17:06:23+08:00" level=debug msg="Listing credentials"
time="2023-02-01T17:06:25+08:00" level=debug msg="Checking file cache" registry=
time="2023-02-01T17:06:25+08:00" level=debug msg="Calling ECR.GetAuthorizationToken for default registry"
time="2023-02-01T17:06:26+08:00" level=debug msg="Saving credentials to file cache" registry=<snip> service=ecr
time="2023-02-01T17:06:26+08:00" level=debug msg="Checking file cache for ECR Public"
time="2023-02-01T17:06:27+08:00" level=debug msg="couldn't get authorization token for public registry" error="ecr: failed to get authorization token: operation error ECR PUBLIC: GetAuthorizationToken, https response error StatusCode: 400, RequestID: <snip>, api error AccessDeniedException: User: arn:aws:sts::<snip>:assumed-role/<snip> is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action"

Failed login (network disabled)

Turn off wifi and unplug network cable 😄

Status code expected to be nonzero but is zero:

~ [master●] » docker-credential-ecr-login list
{}
~ [master●] » echo $?
0 # ❗️🐞

~/.ecr/log/ecr-login.log

time="2023-02-01T17:10:28+08:00" level=debug msg="Listing credentials"
time="2023-02-01T17:10:31+08:00" level=debug msg="Could not fetch credentials for cache prefix, disabling cache" error="operation error SSO: GetRoleCredentials, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Get \"https://portal.sso.us-west-2.amazonaws.com/federation/credentials?account_id=029672914754&role_name=LocalDevelopment\": dial tcp: lookup portal.sso.us-west-2.amazonaws.com on [::1]:53: read udp [::1]:59700->[::1]:53: read: connection refused"

Note

I suspect this happens for invalid requests (4xx) as well as network errors, but I have no proof of that at this time.