Login doesn't support using EC2 instance credentials with ECR login

[jkasarherou]

Behaviour

I am using self-hosted runners with an IAM role attached (with ECR permissions) and the login action fails.

Steps to reproduce this issue

1. Create a self hosted runner with IAM role attached (with ECR permissions)
2. Create a workflow with uses: docker/login-action@v1
3. Try to run the workflow

Expected behaviour

The login should use the EC2 instance credentials and login to ECR.

Actual behaviour

The login action fails

Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

IMO the action should not attempt to overwrite the env vars for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in this case.

I can make it work using this manual run step:

- name: ECR login
  run: |
    aws ecr get-login-password | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com

Configuration

• Repository URL (if public): private
• Build URL (if public): private

- name: ECR login
  uses: docker/login-action@v1
  with:
    registry: <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com

Logs

Sorry private repo, I can't share the logs.

[crazy-max]

@jkasarherou

the action should not attempt to overwrite the env vars for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in this case.

The environment variables are only overwritten if the username and password inputs are filled in.

Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars are wrong or not propagated to the action on your self-hosted runner.

[spatel96]

I am also experiencing this issue with a self-hosted AWS EC2 running and using the AWS aws-actions/configure-aws-credentials@v1 for populating credentials.

Example Configuration

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-west-1
          
      - name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY_URL }}

Action Debug Logs

##[debug]Evaluating condition for step: 'Login to ECR'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Login to ECR
##[debug]Register post job cleanup for action: docker/login-action@v1
##[debug]Loading inputs
##[debug]Evaluating: env.REGISTRY_URL
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'REGISTRY_URL'
##[debug]=> '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Result: '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Loading env
Run docker/login-action@v1
::save-state name=isPost::true
##[debug]Save intra-action state isPost = true
::save-state name=registry::***.dkr.ecr.us-west-1.amazonaws.com
##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-1.amazonaws.com
::save-state name=logout::true
##[debug]Save intra-action state logout = true
AWS ECR detected with us-west-1 region
Retrieving docker login command through AWS CLI 1.18.147 (/usr/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Login to ECR

[spatel96]

I am also experiencing this issue with a self-hosted AWS EC2 running and using the AWS aws-actions/configure-aws-credentials@v1 for populating credentials.

Example Configuration
Action Debug Logs

##[debug]Evaluating condition for step: 'Login to ECR'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Login to ECR
##[debug]Register post job cleanup for action: docker/login-action@v1
##[debug]Loading inputs
##[debug]Evaluating: env.REGISTRY_URL
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'REGISTRY_URL'
##[debug]=> '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Result: '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Loading env
Run docker/login-action@v1
::save-state name=isPost::true
##[debug]Save intra-action state isPost = true
::save-state name=registry::***.dkr.ecr.us-west-1.amazonaws.com
##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-1.amazonaws.com
::save-state name=logout::true
##[debug]Save intra-action state logout = true
AWS ECR detected with us-west-1 region
Retrieving docker login command through AWS CLI 1.18.147 (/usr/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Login to ECR

I've just realised that it must be using an outdated version of the AWS CLI 1.18.147 which comes pre-installed on my self-hosted running.

I will try and upgrade the AWS CLI version as a workaround.

UPDATE:

Despite the upgrade I am still seeing this issue:

Retrieving docker login command through AWS CLI 2.2.1 (/usr/local/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

[nitrocode]

I'm running into the same issue.

@crazy-max

Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars are wrong or not propagated to the action on your self-hosted runner.

If the self hosted running is using an IAM role then these environment variables would not be set as the EC2 should reuse the IAM role for authentication, no ?

[Flydiverny]

I did some testing to simulate what happens in the login-action

Given this step below I will get the expected output (running on a self-hosted runner)

      - uses: actions/github-script@v5
        with:
          script: |
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

{
    "UserId": "REDACTED:i-REDACTED",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACTED:assumed-role/REDACTED/i-REDACTED"
}

Where as if I added the process.env vars as the login-action does here the step fails

      - uses: actions/github-script@v5
        with:
          script: |
            let username = ''
            let password = ''
            process.env.AWS_ACCESS_KEY_ID = username || process.env.AWS_ACCESS_KEY_ID;
            process.env.AWS_SECRET_ACCESS_KEY = password || process.env.AWS_SECRET_ACCESS_KEY;
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
Error: Unhandled error: Error: The process '/usr/local/bin/aws' failed with exit code 254

a simple change to how we set the env vars should resolve it

      - uses: actions/github-script@v5
        with:
          script: |
            let username = ''
            let password = ''
            if (username) {
              process.env.AWS_ACCESS_KEY_ID = username;
            }
            if (password) {
              process.env.AWS_SECRET_ACCESS_KEY = password;
            }
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

Which will get me my EC2 credentials again :)

Created a PR #114