Amazon ECR authentication failure

[chanseokoh]

@chanseokoh Thanks for pushing 2.6.0.

@EugenDueck and just in case, I believe ECR only supports the following forms as an image reference (when not considering tags or digests):

1. 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/<image>
2. 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/<namespace>/<image>

I think 2. is what I am using, plus a tag: 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def:base
Pushing/pulling using the docker cli works with that.

Unfortunately, the error is unchanged with v2.6.0:

[WARNING] Base image '123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def:base' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/flex-kafka-streams:1.1
[INFO] The base image requires auth. Trying again for 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def:base...
[INFO] Using credentials from <from><auth> for 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def:base
[INFO] Executing tasks:
[INFO] [========                      ] 27.8% complete
[INFO] > building dependencies layer
[INFO] > launching layer pushers
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  12.898 s
[INFO] Finished at: 2020-10-08T09:20:01+09:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.6.0:build (default) on project flex-kafka-streams: Build image failed, perhaps you should make s
ure your credentials for '123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def' are set up correctly. See https://github.com/GoogleContainerTools/jib/b
lob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for 123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/jnx-
kafka-streams: 401 Unauthorized
[ERROR] Not Authorized

Btw I have even tried to move username/password into the pom, to have the least possibility of a problem due to indirection via cred helpers, env vars etc.

To wit:

<from>
    <image>123456789.dkr.ecr.ap-northeast-1.amazonaws.com/abc/def:base</image>
    <auth>
        <username>dontask</username>
        <password>wonttell</password>
    </auth>
</from>

_Originally posted by @EugenDueck in #2784 (comment)

[chanseokoh]

I am not sure if you are using a credential helper or not, but can you take a look at #2627 (comment)?

Also, I don't know what types of credentials are usable for ECR, but can you tell me the type you're using? For example, for the credentials that docker-credential-ecr-login returns, its username is always AWS.

Also check #2627 (comment) in the same issue thread.

[EugenDueck]

Thanks a lot chanseokoh for following up and creating a new issue for this! Also, an answer over at stackoverlfow you made provided a very good introduction into the whole topic for me.

So my problem was this: I used the values that are supposed to be put in AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY as username / password. That won't work, because they are only used by e.g. the credentials helper to create username (currently fixed to "AWS", just as you wrote) and password.

I am now successfully pulling and pushing using with the ecr-login credentials helper. So thanks again!

Now I only need to figure out if there is a way to use different AWS profiles for from and to... I have created #2814 for this problem, so you may close this issue.

[chanseokoh]

Thanks for the update! This is exactly #2627, so I'll close it as a dup.