Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34958

Getting "Your Authorization Token has expired" when using ECR credentials

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: amazon-ecr-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.4
      Docker Build and Publish plugin 1.2.2 (+ PR #41)
    • Similar Issues:

      Description

      In an attempt to start moving away from our self-hosted Docker Registry. I came across this plugin to make it easier to push to Amazon ECR. And after a (fairly) quick fix of the Docker Build and Publish plugin. Time had come to make that happen.

      But instead I am getting the this error when it attempt to push. So something is wrong.

      The push refers to a repository [somerepo.dkr.ecr.eu-west-1.amazonaws.com/imagename]
      1b29323a75d2: Preparing
      5bf87793f977: Preparing
      5ccb950f635d: Preparing
      965c3fc60463: Preparing
      f354df03c5c3: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      9523ecdf69b1: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      6d7b4f405a28: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      099efa904cb9: Preparing
      8f83f19c7186: Preparing
      1621d30a7846: Preparing
      e989ce4ed35e: Preparing
      ae30a2e42fe4: Preparing
      461f75075df2: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      6d7b4f405a28: Waiting
      099efa904cb9: Waiting
      8f83f19c7186: Waiting
      1621d30a7846: Waiting
      e989ce4ed35e: Waiting
      ae30a2e42fe4: Waiting
      461f75075df2: Waiting
      5f70bf18a086: Waiting
      9523ecdf69b1: Waiting
      f354df03c5c3: Image push failed
      f354df03c5c3: Image push failed
      461f75075df2: Waiting
      ae30a2e42fe4: Waiting
      e989ce4ed35e: Waiting
      1621d30a7846: Waiting
      8f83f19c7186: Waiting
      099efa904cb9: Waiting
      6d7b4f405a28: Waiting
      9523ecdf69b1: Waiting
      5f70bf18a086: Waiting
      Error parsing HTTP response: invalid character 'Y' looking for beginning of value: "Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one."
      Build step 'Docker Build and Publish' marked build as failure
      

      In the panel for updating the credentials I also get the message:

      These credentials are valid but do not have access to the "AmazonEC2" service in the region "us-east-1". This message is not a problem if you need to access to other services or to other regions. Message: "You are not authorized to perform this operation. (UnauthorizedOperation)"

      But I am using the AWS Managed policy "AmazonEC2ContainerRegistryPowerUser" to grant Jenkins access. And should pretty much have full access to all the ECR calls it needs. We do use it in 'eu-west-1' though. But the warning clearly states not to worry about it if we are not in that region.

        Attachments

          Issue Links

            Activity

            Hide
            davidfic_cybric david ficociello added a comment -

            This is also preventing us from moving forward with this plugin. We are in us-west-2. Is there any timeline at all for this? It would greatly help to know so we can either wait or move on to other solutions.

            Thanks

            Show
            davidfic_cybric david ficociello added a comment - This is also preventing us from moving forward with this plugin. We are in us-west-2. Is there any timeline at all for this? It would greatly help to know so we can either wait or move on to other solutions. Thanks
            Hide
            ajtrichards Alex Richards added a comment -

            Hi david ficociello, Drew Halloran,

            We managed to resolve this problem, after almost 3 weeks of conversation with AWS Support, by using the ecr-credential-helper.

            You can find the helper and documentation here: https://github.com/awslabs/amazon-ecr-credential-helper

            Good Luck!

            Show
            ajtrichards Alex Richards added a comment - Hi david ficociello , Drew Halloran , We managed to resolve this problem, after almost 3 weeks of conversation with AWS Support, by using the ecr-credential-helper. You can find the helper and documentation here: https://github.com/awslabs/amazon-ecr-credential-helper Good Luck!
            Hide
            ecentinela Javier Martínez added a comment -

            When this patch is going to be released? This is a blocking issue for our company.

            Show
            ecentinela Javier Martínez added a comment - When this patch is going to be released? This is a blocking issue for our company.
            Hide
            deeboh CL W added a comment - - edited

            Hi guys, i've found that adding the --region $region_name to the aws ecr get-login command fixed a similar issue. would it be possible to add --region to the plugin and deploy. You can see this usage from the AWS - ECS Console click your repository link. Then click the "View Push Command" button. It shows the use of the --region option. Is this being used by the ECR Jenkins plugin?

            Although i'm not completely convinced this is just a problem with this plugin. prior to today the plugin worked fine. However I upgraded my AWSCLI client to the latest version as well today (for some stupid reason) and now this plugin doesn't work.

            #annoying

            Show
            deeboh CL W added a comment - - edited Hi guys, i've found that adding the --region $region_name to the aws ecr get-login command fixed a similar issue. would it be possible to add --region to the plugin and deploy. You can see this usage from the AWS - ECS Console click your repository link. Then click the "View Push Command" button. It shows the use of the --region option. Is this being used by the ECR Jenkins plugin? Although i'm not completely convinced this is just a problem with this plugin. prior to today the plugin worked fine. However I upgraded my AWSCLI client to the latest version as well today (for some stupid reason) and now this plugin doesn't work. #annoying
            Hide
            catufunwa Chima Atufunwa added a comment -

            Give setting this env a try, AWS_ECR_DISABLE_CACHE. It causes the plugin to not use the local cache.

            Source, https://github.com/awslabs/amazon-ecr-credential-helper/pull/3

            Show
            catufunwa Chima Atufunwa added a comment - Give setting this env a try, AWS_ECR_DISABLE_CACHE. It causes the plugin to not use the local cache. Source, https://github.com/awslabs/amazon-ecr-credential-helper/pull/3

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                kristoffer Kristoffer Peterhänsel
              • Votes:
                11 Vote for this issue
                Watchers:
                26 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: