Kaniko failing to push to ECR

[leepatrick-goop]

Actual behavior
Trying to push to ECR with Kaniko on Gitlab on Kubernetes and get a user denied with the node instance role as the user even when providing access and secret keys with the credstore.

Expected behavior
images pushes to ECS

To Reproduce
Steps to reproduce the behavior:
$ echo "{"credsStore":"ecr-login","credHelpers":{"$AWS_DOCKER_URL":"ecr-login"}}" > /kaniko/.docker/config.json
$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $DOCKER_REPOSITORY:$CI_COMMIT_SHORT_SHA --build-arg NPM_TOKEN=$NPM_TOKEN --skip-unused-stages=true
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED].dkr.ecr.us-east-1.amazonaws.com/[MASKED]:b263001f": POST https://[MASKED].dkr.ecr.us-east-1.amazonaws.com/v2/[MASKED]/blobs/uploads/: DENIED: User: arn:aws:sts::[MASKED]:assumed-role/[MASKED]-NodeInstanceRole/i-[MASKED] is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:[MASKED]:repository/[MASKED]

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[tejal29]

Will the v1.3.0 with #1458 fix it?

[AndrewFarley]

Will the v1.3.0 with #1458 fix it?

It does not. Having this problem on 1.3.0. Although the error is slightly different, so may be a new issue, please tell me if I should open a new issue.

WARN[0013] error uploading layer to cache: failed to push to destination 000000000000.dkr.ecr.us-east-
2.amazonaws.com/devops/devops-master-orchestration-image/
cache:46c9069e879abce7dae481c5533990365793f24815dd466f4b9e8ade252e7e36: 
POST https://000000000000.dkr.ecr.us-east-2.amazonaws.com/v2/devops/devops-master-orchestration-
image/cache/blobs/uploads/: NAME_UNKNOWN: The repository with name 'devops/devops-master-orchestration-
image/cache' does not exist in the registry with id '000000000000'

(Replaced ^ account id with 000000000000)

The problem is, ECR requires you to manually create new sub-repos annoyingly unlike some other container registries. Thus the error above. I could fix it if I create a new repo with /cache suffixed though. For now I'm going to just manually create a secondary cache-specific repo for every ECR repo, but this is super annoying. Should be a better fix. Eg: should just push to the same ECR repo. Perhaps with a tag prefix of _cache or something so it could be identified and purged easily if desired.

[AndrewFarley]

Edit ^ guess I figured that out, you can choose cache-repo, can choose the same repo. :P

[jordan85]

Hi @AndrewFarley
I have the same problem :
my sub-repo is create in ECR (myproject/cache), temp image are pushed correctly in ECR during my CI :

INFO[0139] Pushing layer myrepo.dkr.ecr.eu-west-3.amazonaws.com/myproject/cache:43563ca93d5e42cd3b8c192916d8432c6ad3f180a315 to cache now 

But at the end job I have the following error :

E0323 20:23:21.609447      22 aws_credentials.go:100] error getting credentials from ECR for myaccount.dkr.ecr.eu-west-3.amazonaws.com NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
error pushing image: failed to push to destination myaccount.dkr.ecr.eu-west-3.amazonaws.com/myproject:7eddba53af75: HEAD https://myaccount.dkr.ecr.eu-west-3.amazonaws.com/v2/myproject/blobs/sha256:9fdae33d52319a11cb86523712e48cf1f4682fb0239a: unsupported status code 401

Do you have an idea ?

Thanks :)

[AndrewFarley]

@jordan85 Pay attention to the last message...

error pushing image: failed to push to destination myaccount.dkr.ecr.eu-west-3.amazonaws.com/myproject:7eddba53af75: HEAD https://myaccount.dkr.ecr.eu-west-3.amazonaws.com/v2/myproject/blobs/sha256:9fdae33d52319a11cb86523712e48cf1f4682fb0239a: unsupported status code 401

My guess is whatever IAM role or AWS credentials you have granted to your runner/image doesn't have access to that ECR repo, and/or that does not exist (yet). Honestly, the error messages of Kaniko could be a lot better, but I understand it's just giving you the error from upstream. It could be more intelligent about it though, it's frustrating to debug. I would check...

1. Check to make sure you have an IAM Role or Access/Secret key in your kaniko pod which grants access to that repo, this can be hard to do if you're using kaniko in docker, as you have no aws cli to run commands to validate this.
2. Make sure that repo exists
3. Check the permissions of that repo (per-ecr repo permissions) to ensure that your user has access

[jordan85]

Thanks for your reply @AndrewFarley

1 - I think yes ; because temp image are correctly upload in my ECR "myproject/cache"
2 - Repo exists, I have push image from my laptop without problem
3 - I think permissions are ok because push from my laptop are ok

I use amazon-ecr-credential-helper, I have open issue for this awslabs/amazon-ecr-credential-helper#270

This problem is only present during a Docker multi stage.
For exemple, in other registry like gitlab.com, i haven't got push problem.

If you want I can add verbose log in my Kaniko but don't sure is most for you..

Have a good day :)

[AndrewFarley]

@jordan85 Weird, if it's only during a multi-stage that indeed sounds like a bug. Sorry I'm not a kaniko dev, just trying to help. :( Likely pasting/pastebin-ing a verbose log would be helpful for devs debugging it though. Can't hurt.

Best of luck!

[drakmail]

Are you sure you are using correct command to set credentials config?

Seems that you forget about escaping...

$ echo "{"credsStore":"ecr-login","credHelpers":{"$AWS_DOCKER_URL":"ecr-login"}}" > /kaniko/.docker/config.json

$ cat /kaniko/.docker/config.json 
{credsStore:ecr-login,credHelpers:{:ecr-login}}

As you can see, you docker config is messed up

[tiru1930]

I am also seeing same issues it say

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "xxxxxx.dkr.ecr.region.amazonaws.com/test-ecr-issue:latest": POST https://xxxxxxx.dkr.ecr.region.amazonaws.com/v2/test-ecr-issue/blobs/uploads/: unexpected status code 401 Unauthorized: Not Authorized

running below command on my local

docker run       -v "$HOME"/.aws/credentials:/root/.aws/credentials     gcr.io/kaniko-project/executor:latest     --dockerfile dockerfiles/inference.Dockerfile     --destination xxxxx.dkr.ecr.region.amazonaws.com/test-ecr-issue:latest    --context s3://bucket/data/v4/5f0b5bec-9547-44e8-afb6-589a9c6f7e2e/training/1bfa2ff7-db11-4cf0-b598-9b3af6781494.tar.gz     --verbosity trace

It was able download the context but failing while pushing it ecr. Same configuration was working till yesterday

[jordan85]

Hi all and @tiru1930

Issue is fix for me. Stupid problem but I dont't know if it's a bug or not...

As a reminder

• With gitlabci and multi-stage image builder my gitlab.com push : OK .

• With gitlabci and simple-stage image builder my ECR push : OK .

• With gitlabci and multi-stage image builder my ECR push : FAILED .

For my ECR authentification I used the following line :

echo "{"credHelpers":{"$ECR_REGISTRY":"ecr-login"}}" > /kaniko/.docker/config.json

It’s important not to use kaniko user (home directory) for config.json storage.
In my case I used /root/.docker/config.json after this issue and my multistage to ECR was good.

[tiru1930]

@jordan85 thank you , i have figured it out, it was running this command after setting docker config,

[ngoyal16]

@jordan85 were you able to figure out the solution for

With gitlabci and multi-stage image builder my ECR push : FAILED .

we also facing same issue with single stage build it is working fine

[jpdoria]

@jordan85 Thank you. Doing echo "{"credHelpers":{"$ECR_REGISTRY":"ecr-login"}}" > /root/.docker/config.json fixed my ECR auth issue.

[sebasmagri]

I previously had only {\"credsStore\":\"ecr-login\"} as documented here, however I kept running into this issue.

Maybe this needs a documentation update to add the credHelpers piece?

{\"credsStore\":\"ecr-login\",\"credHelpers\":{\"$ECR_REGISTRY\":\"ecr-login\"}}

In any case, I'm able to reproduce 100% with multistage images. It works fine with non-multistage images.

[Jasper-Ben]

I have a similar issue, but setting credHelpers does not seem to help 😞. However, I am getting an "EOF" error. Maybe I am doing something wrong?

Error message:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "<account_id>.dkr.ecr.eu-central-1.amazonaws.com/<image_name>:<image_tag>": Post "https://<account_id>.dkr.ecr.eu-central-1.amazonaws.com/<image_name>/blobs/uploads/": EOF

My terraform config:

# use a unix timestamp as image tag
resource "time_static" "image_tag" {
  triggers = {
    repository_url = var.ecr_repository_url
  }
}

resource "kubernetes_config_map" "kaniko_config" {
  metadata {
    name      = "${var.prefix}${var.project_name}-kaniko-config"
    namespace = var.namespace
  }
  data = {
    "config.json" = jsonencode(
      {
        credsStore = "ecr-login"
        credHelpers = {
          "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com" = "ecr-login"
        }
      }
    )
  }
}

# build and push container image
resource "kubernetes_job" "build_image" {
  metadata {
    name      = "${var.prefix}${var.project_name}-build"
    namespace = var.namespace
    labels    = local.common_labels_k8s
  }
  spec {
    template {
      metadata {}
      spec {
        container {
          name = "kaniko"
          image             = "gcr.io/kaniko-project/executor:v1.6.0-debug"
          image_pull_policy = "IfNotPresent"
          args = [
            "--dockerfile=/mnt/Dockerfile",
            "--context=/mnt",
            "--destination=${time_static.image_tag.triggers.repository_url}:${time_static.image_tag.unix}"
          ]
          volume_mount {
            mount_path = "/mnt"
            name       = kubernetes_secret.build_files.metadata[0].name
          }
          volume_mount {
            mount_path = "/kaniko/.docker"
            name       = kubernetes_config_map.kaniko_config.metadata[0].name
          }
        }
        service_account_name = kubernetes_service_account.service_account.metadata[0].name
        restart_policy       = "Never"
        volume {
          name = kubernetes_secret.build_files.metadata[0].name
          secret {
            secret_name = kubernetes_secret.build_files.metadata[0].name
          }
        }
        volume {
          name = kubernetes_config_map.kaniko_config.metadata[0].name
          config_map {
            name = kubernetes_config_map.kaniko_config.metadata[0].name
          }
        }
      }
    }
  }
}

I am giving the following IAM permissions using OIDC:

      "ecr:GetAuthorizationToken",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability",
      "ecr:CompleteLayerUpload",
      "ecr:GetDownloadUrlForLayer",
      "ecr:InitiateLayerUpload",
      "ecr:PutImage",
      "ecr:UploadLayerPart"

[samypr100]

@jordan85 thanks, your instructions are the only ones that work on a multi stage build on v1.8.0 (even having a /root/.aws/credentials didn't help) likely due to #450. For single stage builds config.json is definitly not needed on v1.8.0.

[Jasper-Ben]

@jordan85 thanks, your instructions are the only ones that work on a multi stage build on v1.8.0 (even having a /root/.aws/credentials didn't help) likely due to #450. For single stage builds config.json is definitly not needed on v1.8.0.

Oh, there still seem to be issues regarding multistage builds with the new instructions for v1.8.0 @imjasonh 😕

[danikhani]

I also have the same problem. Single stage or multi stage pipelines make no difference and both fail with an EOF error:
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "<accountid>.dkr.ecr.<region>.amazonaws.com/<reponame>:latest": Post "https://<accountid>dkr.ecr.<region>.amazonaws.com/v2/<reponame>/blobs/uploads/": EOF

This problem has also been mentioned here but the solution is not clear:
#1935

[Jasper-Ben]

I also have the same problem. Single stage or multi stage pipelines make no difference and both fail with an EOF error: error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "<accountid>.dkr.ecr.<region>.amazonaws.com/<reponame>:latest": Post "https://<accountid>dkr.ecr.<region>.amazonaws.com/v2/<reponame>/blobs/uploads/": EOF

This problem has also been mentioned here but the solution is not clear: #1935

Are you using aws credentials or IAM roles for authentication? Are you using kaniko v1.8.0?

[danikhani]

I also have the same problem. Single stage or multi stage pipelines make no difference and both fail with an EOF error: error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "<accountid>.dkr.ecr.<region>.amazonaws.com/<reponame>:latest": Post "https://<accountid>dkr.ecr.<region>.amazonaws.com/v2/<reponame>/blobs/uploads/": EOF
This problem has also been mentioned here but the solution is not clear: #1935

Are you using aws credentials or IAM roles for authentication? Are you using kaniko v1.8.0?

Thank you for your fast reply. I use aws credentials for the authentication and kaniko v1.8.0 in a gitlab CICD pipeline

[ngoyal16]

I also have the same problem. Single stage or multi stage pipelines make no difference and both fail with an EOF error: error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "<accountid>.dkr.ecr.<region>.amazonaws.com/<reponame>:latest": Post "https://<accountid>dkr.ecr.<region>.amazonaws.com/v2/<reponame>/blobs/uploads/": EOF
This problem has also been mentioned here but the solution is not clear: #1935

Are you using aws credentials or IAM roles for authentication? Are you using kaniko v1.8.0?

Thank you for your fast reply. I use aws credentials for the authentication and kaniko v1.8.0 in a gitlab CICD pipeline

Same with us as well on gitlab ci/cd pipeline

[Jasper-Ben]

Ok, I believe we need more details on the exact setup you guys are using. Can you post here how you are calling the kaniko build step?

Personally, I haven't used credential based authentication, but I would assume that it should work identically to IAM based authentication (which I know to be working, at least with single stage builds) with the exception that credentials have to be mounted at the appropriate place.

[ngoyal16]

echo "{\"credsStore\":\"ecr-login\",\"credHelpers\":{\"${DOCKER_ECR_REPO_URL}\":\"ecr-login\"}}" > /kaniko/.docker/config.json

mkdir -p ~/.aws/
cat <<EOF > ~/.aws/credentials
[test-ecr]
aws_access_key_id=$ORIG_AWS_ACCESS_KEY_ID
aws_secret_access_key=$ORIG_AWS_SECRET_ACCESS_KEY
EOF

export AWS_PROFILE=test-ecr

/kaniko/executor \
        --context $CI_PROJECT_DIR \
        --dockerfile $CI_PROJECT_DIR/Dockerfile \
        --destination $DOCKER_ECR_REPO_URL/$DOCKER_IMAGE_NAME:$CI_COMMIT_SHA \
        --verbosity ${KANIKO_VERBOSE_LEVEL:-info} \
        --skip-unused-stages

This is how we are doing this is working in old kaniko version but not with 1.18

[Jasper-Ben]

echo "{"credsStore":"ecr-login","credHelpers":{"${DOCKER_ECR_REPO_URL}":"ecr-login"}}" > /kaniko/.docker/config.json

this shouldn't be necessary anymore since kaniko 1.18.0: #780 (comment)

export AWS_PROFILE=test

Shouldn't this be AWS_PROFILE=test-ecr according to your credentials file?

Have you tried reproducing this issue locally, e.g.: docker run -it --entrypoint=/bin/sh gcr.io/kaniko-project/executor:v1.8.0-debug?

[ngoyal16]

@Jasper-Ben profile name is pointint to correct one only in our config here while chaing actual name cause this.

Also have updated values above

[Jasper-Ben]

Hm ok... other than that your config file looks correct to me. 🤔
Just out of curiosity, could you try setting the env variable AWS_SDK_LOAD_CONFIG=true?

[ngoyal16]

ok let me try that.

[ngoyal16]

one more question same settings works fine when public ecr is used but private one is only causing issue

[Jasper-Ben]

one more question same settings works fine when public ecr is used but private one is only causing issue

Hm, interesting. I guess the initial connection check just tries to connect to the ECR in general and does not probe push permissions. Thus, this would not cause a permission issue, as anonymous connections to the public ECR are possible.

I assume you still need to authenticate when pushing images to a public ECR? If this is the case and you are able to push the image successfully, my guess would be that the initial connection check does not honor the provided credentials, but the authentication during the actual push operation works.

[ngoyal16]

@Jasper-Ben issue is with AWS_PROFILE due to some reason profile is not working i change the name of profile to default and it start working.

[Jasper-Ben]

@ngoyal16 glad you got it working. Interesting issue... @imjasonh, do you have an idea why this could be the case or should we just add this as requirement to the README for now?

[imjasonh]

I don't think I understand the issue well enough to comment. I need to find some time to use Kaniko with ECR myself.

If folks think that documenting AWS_PROFILE behavior would be helpful, I can approve a PR to add that to the README until I can debug it myself.

[gpid007]

          mkdir -p /kaniko/.docker
          cat <<EOF | tee /kaniko/.docker/config.json
          {
              "auths": {
                  "${CI_REGISTRY_IMAGE}": {
                      "username": "${CI_REGISTRY_USER}",
                      "password": "${CI_REGISTRY_PASSWORD}"
                  }
              },
              "credHelpers": {
                  "${aws_account_id}.dkr.ecr.${region}.amazonaws.com": "ecr-login"
              }
          }
          EOF
          export AWS_PROFILE=${stage}

this appears to work even without having the $HOME/.aws/config file set
I reckon kaniko only checks if the PROFILE is set or not...

• It would be great to know if kaniko supports the actual aws cli env vars AWS_ACCOUNT_ID and so forth.
  In the example above I explicitly set the lowercase vars in the CI/CD job
• The .aws/config is not set in the working example...

[vinay-ck]

          mkdir -p /kaniko/.docker
          cat <<EOF | tee /kaniko/.docker/config.json
          {
              "auths": {
                  "${CI_REGISTRY_IMAGE}": {
                      "username": "${CI_REGISTRY_USER}",
                      "password": "${CI_REGISTRY_PASSWORD}"
                  }
              },
              "credHelpers": {
                  "${aws_account_id}.dkr.ecr.${region}.amazonaws.com": "ecr-login"
              }
          }
          EOF
          export AWS_PROFILE=${stage}

this appears to work even without having the $HOME/.aws/config file set I reckon kaniko only checks if the PROFILE is set or not...

• It would be great to know if kaniko supports the actual aws cli env vars AWS_ACCOUNT_ID and so forth.
  In the example above I explicitly set the lowercase vars in the CI/CD job
• The .aws/config is not set in the working example...

What version of kaniko did you use for this? And i am straightaway configuring username as aws and password as aws ecr get-login-passowrd, mine is still failing.