5

I am running into credential issues when I am trying to pull an image from ECR as part of a Docker Build, using AWS CodeBuild.

For context, our setup is this:

Codebuild is calling an internal docker tool that we wrote. This tool is then doing the docker build. Example command that may make this easier to understand:

../codebuild-templates/ourtoolscript docker -v

"ourtoolscript" is just a bash script that sets a bunch of environment variables, and finally calls docker run with the command we specify.

The issue
We are attempting to do the docker build within this tool. It works locally, it also works with other repo's that do not pull an image from ECR for building.
We are doing this so all the logic for tagging and everything is a script within the tool, and we can just apply that to every repo. So saying to just do a docker build outside the tool is not an acceptable solution.

If the docker file pulls from ECR for the "FROM", it will fail with:

time="2019-03-12T14:48:25Z" level=error msg="Error listing credentials" error="ecr: Failed to get authorization token: MissingRegion: could not find region configuration"
Get https://URLTOECRWITHTAG: no basic auth credentials

Things I have tried:

What I know:

  • The credentials that CodeBuild provide are getting into our tool just fine. Since it can pull and push without issue
  • I can build just fine, if it is not building from an ECR image
  • Something is different between how the docker build does a pull vs how just a plain "docker pull" works
  • If I just do a plain "docker build ." with no build args, outside of the tool. It pulls the image just fine. So I think I am going down the wrong path with these variables.

Other Info:
My docker build command (some extra stuff removed):

docker build --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI --rm --build-arg REPO='xyz.dkr.ecr.xyz.amazonaws.com' -f Dockerfile .
Sending build context to Docker daemon 16.64MB
jtoberon
  • 8,706
  • 1
  • 35
  • 48
Jon Heckman
  • 420
  • 2
  • 7
  • 18
  • 1
    Have you tried running `eval $(aws ecr get-login)` before the `docker build`? Also maybe [this](https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html) can help. – Nicolae Mar 12 '19 at 17:52
  • Just facing the same issue recently with using the private image as base image in Dockerfile. The trick was apply what Nicolae suggested and the error went away. – Alex May 04 '21 at 02:01

0 Answers0