AWS ECR authentication via GH actions #25040
Unanswered
gabfelp
asked this question in
Request Help
Replies: 1 comment
-
Hey @lukasmrtvy I saw your comment in this discussion here: #18755 (reply in thread) but I had no luck trying the aws-actions/amazon-ecr-login@v2. Do you have any guidance on what should I try to add in renovate env? By the way, sorry for tagging you, but you seem to have this working already and I want to avoid relying on GCR (which will be gone soon), thus the rush in making ECR work with renovate 😅 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
How are you running Renovate?
Self-hosted
If you're self-hosting Renovate, tell us what version of Renovate you run.
37.3.0
If you're self-hosting Renovate, select which platform you are using.
github.com
Was this something which used to work for you, and then stopped?
I never saw this working
Wanted end result.
Hey! I'm trying to deploy renovate on my Github Workflow. I use an ECR registry so my workflow looks like this:
First I authenticate in AWS using a role to assume
After that, I change my $HOME/.docker/config.json to include
And this works fine for pulling images from the action/workflow. I'm able to do
docker pull ACCOUNTID.dkr.ecr.us-east-1.amazonaws.com/ANY:ANY
in the following steps.However, this seems to be a problem for renovate.
As I don't have an
access key ID
nor asecret key
, I cannot authenticate to renovate usinghostRules
like this (taken from docs):I could use
'AWS'
and a password fromaws ecr get-login-password
commandor
aws ecr get-authorization-token
command(references from AWS auth methods: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html)
and both methods are unsupported as far as I searched.
At the end I have the following log output:
Using ecr auth for Docker registry
Failed to get authHeaders for getTags lookup
So my question is... Is there any workaround for this authentication? I tried a lot of different commands and didn't make it work.
Relevant/Similar discussions: #20326, #23837, #18755, #23292, #10062
What you tried so far.
I tried doing this:
As this comment points out: #18755 (reply in thread), however I see the same problem
Tried a step (before
renovatebot/[email protected]
) doing this:aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com
with no luck.
I also thought about this in
hostRules
(dependabot):to remove the need of doing ECR auth, but I see it's not supported. I have the same problem, the regex matches ECR and we start ECR auth loop again
Relevant debug logs
Logs (TRACE, but I reduced to the problem part only)
Beta Was this translation helpful? Give feedback.
All reactions