Comments (16)
In the sbt console, I have confirmed that the system property is being set:
$ sbt -DAWS_DEFAULT_PROFILE=shared console
[info]...
[info]...
scala> System.getProperty("AWS_DEFAULT_PROFILE")
res0: String = shared
scala> sys.env.getOrElse("AWS_DEFAULT_PROFILE", "default")
res1: String = shared
from sbt-ecr.
Hi @neowulf33,
I'm not sure why sys.env.getOrElse("AWS_DEFAULT_PROFILE", "default")
returns shared
in your context as -D
would suggest a JVM system property, not an environment variable as expected by the plugin.
I'm executing my tasks like this:
AWS_DEFAULT_PROFILE=shared sbt ecr:createRepository
Let me know if that works for you.
from sbt-ecr.
Hi @sbilinski,
Thank you for the tip. Unfortunately, it didn't work as the error message hasn't changed which is:
com.amazonaws.services.ecr.model.AmazonECRException: User: arn:aws:iam::wrong_role is not authorized to perform: ecr:CreateRepository on resource: * (Service: AmazonECR; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxx)
I get the same error when I execute a AWS CLI without providing the correct profile.
from sbt-ecr.
Hi @sbilinski ,
Do you know if the role
within the aws profile gets automatically picked up by the AWS Java SDK?
from sbt-ecr.
I'm not sure what could go wrong here, since repository creation is just a direct call to the Amazon SDK. That being said, does it work if you put your shared
credentials under the [default]
profile and skip the settings completely?
Also, double check if you have a proper policy attached. I'm using the predefined AmazonEC2ContainerRegistryFullAccess
, which seems like a good start for development / testing such issues.
from sbt-ecr.
I have pulled the credentials into the [default]
profile.
I am able to create a repository without specifying the profile using the AWS CLI SDK:
aws ecr create-repository --repository-name test5
The role doesn't get switched when executing the sbt task, though.
from sbt-ecr.
Do you know if the role within the aws profile gets automatically picked up by the AWS Java SDK?
I suppose the role is inherited from the aws_access_key_id
.
I have pulled the credentials into the [default] profile.
Does the sbt ecr:createRepository
command work in this context?
from sbt-ecr.
Sorry, no, sbt ecr:createRepository
doesn't work in the new context either.
I see that there are other *CredentialsProvider
which can assume roles but I don't know enough of the AWS SDK to know about it. I'm looking.
from sbt-ecr.
Credential providers are taken in order, until some value is found.
Maybe you should check if there is no AWS_ACCESS_KEY_ID
or AWS_ACCESS_KEY
in your environment variables as they will override any profile settings?
Same goes for aws.accessKeyId
and aws.secretKey
system properties.
from sbt-ecr.
I believe those are getting picked up as evident from the incorrect credentials. However, the role_arn
doesn't get "assumed".
from sbt-ecr.
Please see my PR #10 for a fix for this.
from sbt-ecr.
@neowulf33: Given the content of the PR and the comment above, I think the main issue is that you need to assume the role before you run any plugin commands (different responsibility).
For reference:
- AWS Security Blog: How to Implement a General Solution for Federated API/CLI Access Using SAML 2.0
- samlapi_formauth.py
Let me know, if you've managed to resolve the issue.
from sbt-ecr.
Thank you for the references.
However, please note that the generated credentials are short lived and will have to be re-run before executing the AWS commands - which may not be ideal when automating the build process and pushing the docker images to ECR.
- How is this automated in your project?
- Does the project use role assumption?
from sbt-ecr.
Assuming that your CI services will run in the cloud, you can assume role on the instance itself and use the InstanceProfileCredentialsProvider
, which is already in the credentials provider chain. This is the "standard" way to do it in my project (i.e we deal with security in a very "declarative" way). Short-lived credentials are used for development and manual tasks though.
When running on-premises, I'd probably setup a dedicated AWS user for CI purposes (with a proper Amazon ECR policy) or do exactly what you did, but in a dedicated task (i.e outside of the plugin; maybe even outside of sbt
- depends on the situation really).
from sbt-ecr.
Hi!
I have exactly this problem atm. Is there any workaround for this or a howto?
from sbt-ecr.
@michaelgroening Try attaching AmazonEC2ContainerRegistryFullAccess
to your user account in the IAM panel (for example).
from sbt-ecr.
Related Issues (20)
- Allow profile to be set via system property as an alternative HOT 1
- `docker login`'s `-e` no longer supported HOT 4
- Pushing to Region CN_North_1 doesn't work HOT 2
- Support SBT 1.x HOT 2
- denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one. HOT 1
- Incompatible with latest AWS SDK HOT 1
- Support ECS / CodeBuild provided credentials HOT 3
- Missing resolver information in documentation HOT 4
- Create a repository policy HOT 1
- Expose ECR repository domain as a task key
- ECR lifecycle policy support
- After updating from 0.13.0 to 0.14.0 sbt fails with Reference to undefined setting HOT 2
- Support repository namespaces
- Support image tag mutability property HOT 1
- Bintray is being sunset HOT 1
- The AWS_DEFAULT_PROFILE environment variable has been deprecated in favour of AWS_PROFILE
- Update AWS SDK dependency HOT 1
- Artifact no longer found HOT 1
- Support "push" to multiple tags within the same repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbt-ecr.