I'm using Gitlab and I can't get docker login to work correctly, no matter how I try it-CodePudding

I'm trying to push an image to ECR on GitLab and the docker login command keeps failing. I tried looking around online and tried 3 different variations and they all failed. Here's my gitlab-ci.yml file

image: docker:latest

services:
  - docker:dind

before_script:
  - apk add --update --no-cache jq py-pip
  - pip install awscli
  - aws ecr get-login --no-include-email --region us-west-2
  - docker login -u AWS -p $(aws ecr get-login-password --region us-west-2) https://775362094965.dkr.ecr.us-west-2.amazonaws.com
  #Denied: not authorized
  
  - docker login --username AWS --password-stdin https://775362094965.dkr.ecr.us-west-2.amazonaws.com
  #   Error: Cannot perform an interactive login from a non TTY device

  - docker login --username AWS --password-stdin public.ecr.aws/u1c1h9j4
  # Error: Cannot perform an interactive login from a non TTY device

stages:
  - build
  - deploy

build-job:
  stage: build
  script:
    - docker build -t $REPOSITORY_URL:$IMAGE_TAG .
    - docker push $REPOSITORY_URL:$IMAGE_TAG
  only:
    - main


deploy-job:
  stage: deploy
  script:
    - echo `aws ecs describe-task-definition --task-definition  $CI_AWS_ECS_TASK_DEFINITION --region us-west-2` > input.json
    - echo $(cat input.json | jq '.taskDefinition.containerDefinitions[].image="'$REPOSITORY_URL':'$IMAGE_TAG'"') >  input.json
    - echo $(cat input.json | jq '.taskDefinition') > input.json
    - echo $(cat input.json | jq  'del(.taskDefinitionArn)' | jq 'del(.revision)' | jq 'del(.status)' | jq 'del(.requiresAttributes)' | jq 'del(.compatibilities)' | jq 'del(.registeredAt)' | jq 'del(.registeredBy)') > input.json
    - aws ecs register-task-definition --cli-input-json file://input.json --region us-west-2 
    - revision=$(aws ecs describe-task-definition --task-definition $CI_AWS_ECS_TASK_DEFINITION --region us-west-2 | egrep "revision" | tr "/" " " | awk '{print $2}' | sed 's/"$//' | cut -d "," -f 1)
    - aws ecs update-service --cluster $CI_AWS_ECS_CLUSTER --service $CI_AWS_ECS_SERVICE  --task-definition $CI_AWS_ECS_TASK_DEFINITION:$revision --region us-west-2

I inserted all 3 docker login variations that I tried and listed the error I received in my pipeline right underneath them. I tried them all individually

CodePudding user response：

aws ecr get-login-password | docker login --username AWS --password-stdin https://775362094965.dkr.ecr.us-west-2.amazonaws.com

Generally password-stdin option reads password from user input, but as you want to implement CI/CD, you can pipe the password as given above.

I found a detailed description to solve the issue @ https://medium.com/devops-with-valentine/gitlab-ci-build-push-docker-image-to-aws-ecr-elastic-container-registry-b63b91a58728

Either you have not specified in the post, but maybe your setup does not have aws-cli setup of its own ! You may need to add aws-cli image to get your pipeline working

CodePudding user response：

For modern versions of AWS CLI v1 or v2:

script:
  # ... install awscli
  - aws sts get-caller-identity # make sure AWS CLI is properly configured
  - docker login -U AWS -p `aws ecr get-login-password` --region us-west-2 https://775362094965.dkr.ecr.us-west-2.amazonaws.com

For older versions of AWS CLI v1 that don't have get-login-password:

script:
  # ... install awscli
  - aws sts get-caller-identity # make sure AWS CLI is properly configured
  - $(aws ecr get-login --no-include-email --region us-west-2)

You must also make sure your configured identity has permission to ECR.

#Denied: not authorized

This would imply to me you might have an issue with your IAM permissions.