aws-actions / amazon-ecr-login Goto Github PK

I was reading this about caching dependencies in Github actions workflows: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/caching-dependencies-to-speed-up-workflows

Is there an equivalent caching technique for building Docker images to ECR so that not all of the dependencies have to be built every time?

Currently experiencing issues on aws-actions/amazon-ecr-login@v1. via a build script using aws-actions/configure-aws-credentials@v1. The build was perfect as of 3 days ago. The error is:

 Error: Could not login: WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error saving credentials: error storing credentials - err: exit status 1, out: The stub received bad data.

The virtual env info is

2020-11-02T15:08:23.2642617Z Microsoft Windows Server 2019
2020-11-02T15:08:23.2642970Z 10.0.17763
2020-11-02T15:08:23.2643321Z Datacenter
2020-11-02T15:08:23.2643642Z ##[endgroup]
2020-11-02T15:08:23.2644020Z ##[group]Virtual Environment
2020-11-02T15:08:23.2644535Z Environment: windows-2019
2020-11-02T15:08:23.2644904Z Version: 20201021.0

This wasn't happening as of 3 days ago and I believe this may be a related issue. Still haven't found any work around yet.

I have tried very hard but was unable to push the image to ECR
i trying with public ECR repo
repoistory URI : public.ecr.aws/k5n6o2s4/sadapay-test

ERROR
name unknown: The repository with name 'public.ecr.aws/k5n6o2s4/sadapay-test' does not exist in the registry with id '***' Error: Process completed with exit code 1.

My workflow file
https://github.com/hjavaid06/spring-boot/blob/main/.github/workflows/Workflow.yml

please assist i have tried as much as i can

I'm getting the following error while trying to use the Actions outputs: The workflow is not valid. .github/workflows/xxxxx.yaml (Line: 25, Col: 14): Unexpected symbol: '350xxxxxxxxx_dkr_ecr_eu_central_1_amazonaws_com_docker_username'. Located at position 21 within expression: steps.login.outputs.350xxxxxxxxx_dkr_ecr_eu_central_1_amazonaws_com_docker_username.

From: https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs :

The <output_id> must start with a letter or _ and contain only alphanumeric characters, -, or _.

As such, the fact that the Actions output ids start with a number (e.g. 111111111111_dkr_ecr_aws_region_1_amazonaws_com_docker_username) means that the workflow file will always be invalid.

This functionality has apparently not been tested and is broken.

There is a way to pass to docker build, custom build args?
I've trying pass build args to dockerfile, and just only the env vars that are in documentation are acceptable.

(Sorry for posting in this place..)

Using this on a EKS setup where IRSA is used to provide IAM access on our pods (our runners), when trying to chain amazon-ecr-login together with configure-aws-credentials I get the error below:

I can confirm IRSA is working fine as we have other pipelines using it fine, our runners are able to assume roles successfully and use the permissions in those assumed roles.

IRSA uses token files for authentication setting the AWS_WEB_IDENTITY_TOKEN_FILE env pointed at the token on disk.

Output From Actions Log

Run aws-actions/configure-aws-credentials@v1
  with:
    role-to-assume: arn:aws:iam::$MY_ACCOUNT_ID:role/$MY_ROLE
    aws-region: $MY_REGION
    role-duration-seconds: 900
1s
Run aws-actions/amazon-ecr-login@v1
  with:
  env:
    AWS_DEFAULT_REGION: $MY_REGION
    AWS_REGION: $MY_REGION
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***
Error: Could not login: WARNING! Using -*** the CLI is insecure. Use --password-stdin.
Error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`

Workflow Yaml

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    role-to-assume: arn:aws:iam::$MY_ACCOUNT_ID:role/$MY_ROLE
    aws-region: $MY_REGION
    role-duration-seconds: 900
- name: Login to ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1

I want to use this action in combination with https://github.com/aevea/action-kaniko specifically so I can build my image with kaniko and then push it to two separate container registries (staging and production - separate registries in separate AWS accounts).

The kaniko builder requires the authentication details as it handles the registry authentication rather than using the docker login that this action provides.

I have had some success with https://github.com/elgohr/ecr-login-action to get the credentials out and pass to the kaniko builder, but I'd prefer to use this action if possible.

Hello,

I need to push an image to account A ECR, using account B's IAM user, but when I use aws-actions/amazon-ecr-login@v1, I receive "no basic auth credentials" error. Account A and B are in same region.
But if I switch to aws ecr get-login-password & docker login method for ECR login, image is pushed to account A ECR with no problem..

So this workflow ends with "no basic auth credentials" error :

    - name: Configure AWS Credentials 
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: <Account B Access Key>
          aws-secret-access-key: <Account B Secret Access Key>
          aws-region: <A&B Region>

      - name: AWS ECR Login
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Docker Build & Push to ECR
        run: |
          docker build -t <Account A ECR Repository>:<tag> -f Dockerfile .
          docker push <Account A ECR Repository>:<tag>

But for aws ecr get-login-password & docker login, push succeeds.

    - name: Configure AWS Credentials 
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: <Account B Access Key>
          aws-secret-access-key: <Account B Secret Access Key>
          aws-region: <A&B Region>

      - name: AWS ECR Login
        run: |
          aws ecr get-login-password --region <A&B Region> | docker login --username AWS --password-stdin <Account A ECR Registry>

      - name: Docker Build & Push to ECR
        run: |
          docker build -t <Account A ECR Repository>:<tag> -f Dockerfile .
          docker push <Account A ECR Repository>:<tag>

Is there anything that I need to do differently for this kind of job?

Here is my ECR Permission on account A just for reference.. But I'm guessing the permission setting is the issue here as aws ecr get-login-password & docker login with same aws-actions/configure-aws-credentials works.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<Account B ID>:root"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ]
    }
  ]
}

Thank you.

When working with a single registryId:

- name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
        with:
          registries: 012346789012

I get Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'. Yes, the registryId is twelve numeric digits.

When I remove the entry and rely on the default registry, it works.

https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html
ECR allows Helm packages - but needs helm registry login instead of docker login.

Is there any way to get this going? Looks like docker login is done by default in index.js

Action linter is warning about nodev12 actions getting deprecated soon.

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: aws-actions/amazon-ecr-login

Any change of that happening?

GitHub has decided to deprecate running actions on Node 12. While the date of disabling node 12 actions is up in not set, it would be good to start discussing the idea of updating this action to run on Node 16. Even if a v2 is not released, a v1-node16 could be released like aws-actions/configure-aws-credentials is doing for now (see aws-actions/configure-aws-credentials#489 (comment)).

https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

I am using self hosted github runners running in our eks cluster, this self hosted runners are tied to a service account that has a role with a trust relationship to my eks identity provider and a policy to assume role from another account that has access to ecr. when actions run i get an error

denied: User: arn:aws:sts::A:assumed-role/cp-sw-actions-runner/GitHubActions is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-west-2:B:repository/runner-test because no resource-based policy allows the ecr:InitiateLayerUpload action
Error: Process completed with exit code 1.

The pipeline part for this process is shown this

name: Configure AWS credentials
              
          uses: aws-actions/configure-aws-credentials@v1
              
           with:
                aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}

                aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

                aws-region: us-east-2

            - name: Login to Amazon ECR
            
              id: login-ecr
              uses: aws-actions/amazon-ecr-login@v1

           - name: Build, tag, and push image to Amazon ECR
           
              id: build-image

              env:

                ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}

                ECR_REPOSITORY: service-t

The error is shown thus:

name unknown: The repository with name 'service-t' does not exist in the registry with id '***'

Error: Process completed with exit code 1.

I have tried all means to solve this by confirming all correct parameters and repo is correct but still same error, I need help, how do I handle this please?

I'm in a situation where I need to authenticate to an ECR registry in a different account and region than where the self-hosted runner is running in. This is part of an internal project of migrating AWS accounts but still needing to access resources within the account we're moving away from.

A self-hosted runner in Account A (in region us-west-2) contains a IAM instance profile that allows it to assume a role in Account B to push images to the ECR registry (in region us-east-1), amongst many other things.

I can successfully assume the role in Account B using aws-actions/configure-aws-credentials@v1, but since the region input is for the initial client, aws-actions/amazon-ecr-login implicitly inherits it when it authenticates to ECR. I need it to use a different region.

At first I thought I could modify the region in it's own step:

# there is a step prior that assumes the role
# ....
- name: Set AWS region to us-east-1
  run: aws configure set default.region us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

But it didn't work. This Github Action still authenticated to the ECR registry in the us-west-2 region.

Then I thought to run AWS ECR commands directly to specify the region:

# there is a step prior that assumes the role
# ....
- name: Login to Account B ECR
  run: |
    aws ecr get-login-password --region $ACCT_B_REGION | \
    docker login --username AWS --password-stdin $ACCT_B_ECR_REGISTRY
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

This works but it replaces this convenient Github Action. It would be nice, despite it being very uncommon, if I could just provide this Github Action the region I need to authenticate into. This approach also stores the credentials unencrypted- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Another approach I took is using aws-actions/configure-aws-credentials@v1 again to use the temporary assumed-role credentials (set to environment variables in a previous step) to set the region for subsequent steps.

# there is a step prior that assumes the role
# ....
- name: Configure temp AWS credentials for ECR login
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
    aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
    aws-region: us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
   run: |
     docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
     docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

This worked but adds another step to the job.

So, is there a simpler way to do this than what I've done above? Is there a simpler way to modify the region before running this Github Action? If not, could we add a region input to this Github Action. I can work on this if this is something desired.

HTTP_PROXY, HTTPS_PROXY is not taken into account.

Error: Inaccessible host: api.ecr.eu-central-1.amazonaws.com' at port undefined'. This service may not be available in the `eu-central-1' region.

Hi,
I have the error:

Error: Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'

Funny thing is that, that my other builds are working like a charm with the same configuration, the difference is that number, and I've checked it, it satisfies the regular expression of [0-9]{12} but still, it breaks, any advice?

Using as following in my actions workflow

jobs:
  build:
    name: Build Image
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Build, tag, and push image to Amazon ECR
        id: build-image
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          RELEASE_TAG: ${{ github.event.release.tag_name }}
          IMAGE_NAME: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}
        run: |
          # Build a docker container and
          # push it to ECR so that it can
          # be deployed to ECS.
          docker build -t $IMAGE_NAME:latest .
          docker tag $IMAGE_NAME:latest $IMAGE_NAME:$RELEASE_TAG
          docker push $IMAGE_NAME

But it gives error on pushing the image

Successfully built fc0461d2f287
Successfully tagged ***.dkr.ecr.us-west-2.amazonaws.com/qcg-backend:latest
Error parsing reference: "***.dkr.ecr.us-west-2.amazonaws.com/qcg-backend:" is not a valid repository/tag: invalid reference format
Error: Process completed with exit code 1.

It seems the value of ${{ steps.login-ecr.outputs.registry }} is masked ***.

Good morning, this might not be entirely related to the code base of amazon-ecr-login, if there is a better place to report this, please advise.

I am using the ecr-login action as described in the docs:

- name: Configure AWS credentials
   uses: aws-actions/configure-aws-credentials@v1
   with:
     aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
     aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
     aws-region: ap-northeast-1

- name: Login to Amazon ECR
   id: login-ecr
   uses: aws-actions/amazon-ecr-login@v1

When running the action, the initial job, which is setup, fails to download the tarballs from the official actions, and the execution of the workflow gets cancelled.
Here is a screenshot of the issue

With the suggested permissions for pushing, I get an error Error parsing HTTP response: unexpected end of JSON input: "". It seems that pushing also needs the ecr:BatchCheckLayerAvailability permission. See moby/moby#19010 (comment)

https://github.com/aws-actions/amazon-ecr-login/network/alert/package-lock.json/minimist/open

Traced the dependency graph and it appears like jest->@jest/core->jest-config->babel/core->json5->minimist ^1.2.0. Since it's a transitive dependency, we can not directly update minimist directly.

Going to create a pull request against json5.

Hi, I am using a step after using aws-actions/amazon-ecr-login@v1 called mamezou-tech/buildpacks-action@master ro build and push the image to ECR, and as they use a Dockerfile to run the step within a container, the docker connection session is not persisted.

Is there a way to make it work? What could be done to have other "dockerized" steps to be able to benefit from the docker login action?

Thanks!

Hi AWS!

Maintainer of https://github.com/krzema12/github-actions-kotlin-dsl here. Your actions have first-class support in the library.

Recently we've come up with a way to reduce operational load when keeping library's action wrappers in sync with action's inputs. The solution includes onboarding https://github.com/krzema12/github-actions-typing. It's as easy as adding an extra YAML file to your repository root, and adding a simple GitHub workflow that validates this new file. Thanks to this, the code generator in the Kotlin DSL can fetch typing info provided by you instead of us, which has a number of benefits. It has no negative effects on current action consumers, they continue to use the action via regular GitHub API, as if the file wasn't there. The typings themselves are unaware of the Kotlin DSL, and any other tool (let it be another code generator or documentation tool) can use the typings if you provide them.

In this feature request, I would like to ask you if you're open to introducing such typings in your actions. You wouldn't be first - there're already other actions using it: https://github.com/krzema12/github-actions-typing/network/dependents

If your answer is "yes", feel free to either add it yourself, or let me know - me or some of my fellow contributors would be happy to post PRs. We're also open to any kind of questions and feedback.

On AWS Credentials section,

The Assume an IAM role and Monitor the activity links are not redirect to correct section due to #<name> is not found anymore.

Hello,

I am using the amazon-ecr-login to generate an ecr_username and ecr_password to use with a docker login as follows but the password doesn't seem to be populated

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-1

      - name: Login to Amazon ECR
        id: login_ecr
        uses: aws-actions/amazon-ecr-login@v1

## and then 

    outputs:
      ecr_username: ${{ steps.login_ecr.outputs.docker_username_<aws_acc_no>_dkr_ecr_eu_west_1_amazonaws_com }}
      ecr_password: ${{ steps.login_ecr.outputs.docker_password_<aws_acc_no>_dkr_ecr_eu_west_1_amazonaws_com }}

I then reference them in a separate job like this

    services:
      container:
        image: <aws_acc_no>.dkr.ecr.eu-west-1.amazonaws.com/<repo_name>/<container>:<short_sha>
        credentials:
          username: ${{ needs.build.outputs.ecr_username }}
          password: ${{ needs.build.outputs.ecr_password }}

When printed out the username echos as AWS where as password does not, I suspected this was due to masking but I get this error

Error: .github/workflows/ci.yml (Line: 277, Col: 21): Unexpected value ''
Error: The template is not valid. .github/workflows/ci.yml (Line: 277, Col: 21): Unexpected value ''

As a way round this I ran the following in the workflow and it works

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-west-1

      - name: get ECR username & password
        id: extract_password
        run: echo "##[set-output name=ecr_password_2;]$(aws ecr get-login-password)"

    outputs:
      ecr_password_2:  ${{ steps.extract_password.outputs.ecr_password_2 }}

    services:
      container:
        image: <aws_acc_no>.dkr.ecr.eu-west-1.amazonaws.com/<repo_name>/<container>:<short_sha>
        credentials:
          username: AWS
          password: ${{ needs.build.outputs.ecr_password_2 }}

I'm not sure what's happening with password as it doesn't seem to be populated

AWS_DEFAULT_REGION is an official environment variable in AWS https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list.

In my workflow I specify:

env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  AWS_DEFAULT_REGION: eu-central-1

which is needed for some other jobs. It would be nice if we do not have to set the region again with:

with:
   aws-region: $AWS_DEFAULT_REGION

but that it can pick this up automatically 🙏🏽

Use case:
In CI it's very common to already have the full registry. The output is also the URI. For example using skaffold this is SKAFFOLD_DEFAULT_REPO. Save us from awking that crap in another step.

Thanks for the action!

permissions for the user who running pipeline -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ecr:*",
            "Resource": "*"
        }
    ]
}

pipeline step Login to Amazon ECR succeeds

    AWS_REGION: us-east-1
Run aws-actions/amazon-ecr-login@v1
  with:
  env:
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_DEFAULT_REGION: us-east-1
    AWS_REGION: us-east-1

registry - 475882391631.dkr.ecr.us-east-1.amazonaws.com/contenttech

error:

name unknown: The repository with name '***.dkr.ecr.us-east-1.amazonaws.com/contenttech' does not exist in the registry with id '***'
##[error]Process completed with exit code 1.

details and full pipeline -
link

My current project involves pulling a docker image from an ECR in region A and pushing it into region B within the same AWS account. But the problem is that I can't log into different ECR's using amazon-ecr-login twice (changing the region on configure-aws-credentials@v1 beforehand).

Is there any way to solve this issue? Code below

      - name: Configure AWS credentials for region A
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: sa-east-1

      - name: Login to Amazon ECR on region A
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Pull docker image from Amazon ECR
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: my_repo
          IMAGE_TAG: latest
        run: |
          docker pull $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG my_image:latest
          docker images

      - name: Logout of Amazon ECR
        if: always()
        run: docker logout ${{ steps.login-ecr.outputs.registry }}

      - name: Configure AWS credentials for region B
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-west-1

      - name: Login to Amazon ECR on region B
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Tag and push Docker image to Amazon ECR
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: my_repo
          IMAGE_TAG: latest
        run: |
          docker tag my_image:latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

The action yields the following warning

Warning: The `save-state` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Should resolve once dependabot pr #352 find it's way to the next release

It really does appear to fail as #27 suggested.

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
        with:
          registries: 1111111111
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }}
          AWS_REGION: 'my-hardcoded-region-here'
      - name: Build, tag, and push image to Amazon ECR
        id: build-tag-push
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          ECR_REPOSITORY: api
          IMAGE_TAG: ${{ github.sha }}
        run: |
          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

Replaced my actual registry id with 1s above. Not space after it.

ECR_REGISTRY ends up empty.

I'm having an issue pushing images to a second repo.
My workflow is pulling for one repo in a dev account, and pushing the same image to a repo in a different account,

- name: Configure AWS Credentials for build and deploy
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Amazon ECR "Login" Action for GitHub Actions
        uses: aws-actions/amazon-ecr-login@v1

      - name: Create QA Docker Tags
        working-directory: ./api
        run: |
          docker pull ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA}
          docker tag ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA} ${DESTINATION_ECR_IMAGE_REPOSITORY}:prod-latest
          docker tag ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA} ${DESTINATION_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA}
          docker tag ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA} ${DESTINATION_ECR_IMAGE_REPOSITORY}:${{ needs.calc-app-version.outputs.app_version }}

      - name: Configure AWS Credentials for build and deploy
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Amazon ECR "Login" Action for GitHub Actions
        uses: aws-actions/amazon-ecr-login@v1

      - name: Publish Image
        run: docker push --all-tags ${DESTINATION_ECR_IMAGE_REPOSITORY}

It seems to log in correctly, but it fails on the publish saying that there are no credentials

Run docker push --all-tags ${DESTINATION_ECR_IMAGE_REPOSITORY}
The push refers to repository [*****.dkr.ecr.us-east-1.amazonaws.com/core-api]
no basic auth credentials
3702670ce3c4: Preparing
4eaaf9ca664b: Preparing
ce7e5c5cc356: Preparing
e330fc6a21cc: Preparing
b2d5eeeaba3a: Preparing
Error: Process completed with exit code 1.

Not sure what I am doing wrong, but getting this error while running github actions in an ubuntu based self hosted runner on AWS.

See: https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html
It would be great if this action could configure the login, based on the presence of a an input parameter AWS_ROLE_ARN, calling the github api to obtain the token.

Using this technique is favourable as one do not need to define, distribute, and rotate IAM credentials.

Is there any recommended usage for GH Actions services key when using this action to retrieve ecr login details? They run before any steps in the job are performed so there's no way to run ecr-login beforehand.

My first thought was to login in one job and then use that in another job, like so:

jobs:
  ecr-login:
    runs-on: ubuntu-latest
    outputs:
      docker_user: ${{ steps.login-to-ecr.outputs.docker_username_my_account_id_dkr_ecr_eu_west_1_amazonaws_com }}
      docker_password: ${{ steps.login-to-ecr.outputs.docker_password_my_account_id_dkr_ecr_eu_west_1_amazonaws_com }}
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          role-to-assume: 'arn:aws:iam::my_account_id:role/my_role'
          role-duration-seconds: '3600'
      - name: Login to ECR
        uses: aws-actions/amazon-ecr-login@v1
        id: login-to-ecr
  test:
    runs-on: ubuntu-latest
    needs: ecr-login
    services:
      param_store:
        image: my_account_id.dkr.ecr.eu-west-1.amazonaws.com/***/***
        credentials:
          username: ${{ needs.ecr-login.outputs.docker_user }}
          password: ${{ needs.ecr-login.outputs.docker_password }}
    
    ...

But this doesn't work because:
a) the post ecr-login step logs out of the repository
and
b) the docker_password is never output from the job because it's considered secret.

Are there any recommendations on how to handle this for github actions services node? account IDs and names of repos obscured for obvious reasons.

Hi!
I have issue with ecr login when using postgres service.

workflow code is:

jobs:
  build-test:
    runs-on: ubuntu-latest
    container: node:14
    services:
      postgres:
        image: postgres:10.2
        env:
          POSTGRES_DB: postgres
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
          POSTGRES_PORT: 5432
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    outputs:
      JOB_STATUS: ${{ steps.deployment.outputs.status }}
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

Please, help me with this error. A bit urgent for me.

Per this comment, self-hosted runners relying on credentials configured in one job can no longer leverage them on subsequent jobs. A fix is actively being worked on.

Users effected by this can pin to an older version (like v1.1.4) as a workaround.

Some time when pipeline fails with the below error:
no basic auth credentials,
it does not happens regularly but in every 10-15 days this issue is occurring.

Pipeline steps:

  - name: Configure AWS Credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
     aws-region: ${{env.REGION}}
     role-to-assume: ${{env.ASSUME_ROLE}}
     role-duration-seconds: 1200
     role-skip-session-tagging: true
          

  - name: Login to Amazon ECR 
    id: login-ecr
    uses: aws-actions/amazon-ecr-login@v1
    
  - name: Build, tag, and push image to Amazon ECR
    env:          
      ECR_URL: ${{ steps.login-ecr.outputs.registry }}
    run: |
      docker build -t $ECR_URL/$ECR_REPO:$IMAGE_TAG .
      docker push $ECR_URL/$ECR_REPO:$IMAGE_TAG

A warning will be generated when use this action:

The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

We should avoid use core.setOutput and output to $GITHUB_OUTPUT instead

How about updating AWS SDK to v3?

I suggest doing this with #116 .

I am happy to help. I hope this Action will be active.

Receive this error when running the workflow

.github/workflows/docker-build.yml#L32 The workflow is not valid. .github/workflows/docker-build.yml (Line: 32, Col: 12): Unexpected symbol: '$ECR_REPOSITORY'. Located at position 1 within expression: $ECR_REPOSITORY .github/workflows/docker-build.yml (Line: 43, Col: 12): Unexpected symbol: '$ECR_REPOSITORY'. Located at position 1 within expression: $ECR_REPOSITORY

Issue must be with the syntax in the documentation

- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1

- name: Build, tag, and push image to Amazon ECR
  env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    ECR_REPOSITORY: my-ecr-repo
    IMAGE_TAG: ${{ github.sha }}
  run: |
    docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
    docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

Environment variables have to called in this format:

    ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}

This fixed the error

When giving a public ECR like this (to push an image):

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1
        with:
          registries: public.ecr.aws/deadbeef

The step fails and gives the error:

Member must satisfy regular expression pattern: [0-9]{12}

There have been quite a few commits to master since release v1.3.3 on 15 Feb 2021 - it would make a lot of sense to release the software. We lost a few hours because we assumed that the documentation in the readme corresponds to the released functionality - which it doesn't.

Thank you for your consideration.

I'd like to use GitHub Actions in a way where I would need to pull an image from a private ECR repository, but run untrusted code on the action worker afterwards.

What steps should I take to make sure malicious code can not obtain (temporary) access credentials to ECR?

Is using docker logout enough, or which cleanup steps should I take?

set-output is deprecated in Github Actions, so if we could output to GITHUB_ENV we could use this action without triggering warnings

Hi community!

I would like to ask for a feature (or in case of me missing this feature please help me to see how to proceed), when deploying actions in github CI.

Basically I dont find any info about how to pull containers from aws and deploy them in CI github actions during the job execution

jobs:
      backend-job:
            name: CI backend Integration env
            runs-on: ubuntu-latest
            services:
                  postgres:
                        image: postgres:10
                        ports:
                              - 5432:5432
                  rabbitmq:
                        image: rabbitmq
                        ports:
                              - 5672:5672
                  redis:
                        image: redis:alpine
                        ports:
                              - 6379:6379
            steps:
                  - name: Step 1
                    uses: ...
                  - name: Step 2
                    uses: ...

and add own docker-based app containers (from aws, google, heroku... whatever) passing credentials like:

...

            services:
            
                .....
                
                   some-aws-service:
                        image: XXXXXXXXX.YYY.ecr.eu-west-1.amazonaws.com/<AWS OWN SERVICE>:latest
                        ports:
                              - 5000:5000
                         credentials:
                             username: ${{ secrets.AWS_ACCESS_KEY_ID }}
                             password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Following multiple approaches like proposed (here:)[https://docs.github.com/es/actions/using-jobs/running-jobs-in-a-container]

But I receive this:

I also added these (steps)[https://github.com/aws-actions/amazon-ecr-login] at the begining:

- name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role
        aws-region: us-east-1

    - name: Login to Amazon ECR Private
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

...

But nothing was possible...

Can you shed more light on this please?

Many thanks in advance!!!!

Hi, I am trying to move my github arm actions to an M1 Mac Mini build server with a self-hosted runner, but it fails with the following errors:

Run aws-actions/configure-aws-credentials@v1
The node12 is not supported on macOS ARM64 platform. Use node16 instead.

Run aws-actions/amazon-ecr-login@v1
The node12 is not supported on macOS ARM64 platform. Use node16 instead.
Logging into registry ***.dkr.ecr.us-east-1.amazonaws.com

According to the docs one should be able to access the docker username/password using the prefix docker_username and docker_password (with a "cleaned" suffix with the registry URL), however they don't seem to be being set. I look at the code and I see the output, however, when I dump the step's outputs the values are not there.

I enabled Debugging and I can confirm they are not being set:

##[debug]Evaluating condition for step: 'Amazon ECR "Login" Action for GitHub Actions'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Amazon ECR "Login" Action for GitHub Actions
##[debug]Register post job cleanup for action: aws-actions/amazon-ecr-login@v1
##[debug]Loading inputs
##[debug]Loading env
Run aws-actions/amazon-ecr-login@v1
##[debug]Requesting auth token for 1 registries:
##[debug]  '***'
::set-output name=registry::***.dkr.ecr.us-east-1.amazonaws.com
##[debug]steps.ecr_login.outputs.registry='***.dkr.ecr.us-east-1.amazonaws.com'
::save-state name=registries::***.dkr.ecr.us-east-1.amazonaws.com
##[debug]Save intra-action state registries = ***.dkr.ecr.us-east-1.amazonaws.com
##[debug]'skip-logout' is  for 1 registries.
##[debug]Node Action run completed with exit code 0
##[debug]Finishing: Amazon ECR "Login" Action for GitHub Actions

I am using the following:

      - name: Amazon ECR "Login" Action for GitHub Actions
        uses: aws-actions/amazon-ecr-login@v1
        id: ecr_login
        with:
          registries: "xxxxxxxxxxxx"

https://github.com/sunny080593/finance/blob/master/.github/workflows/debit_app_release.yml