AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

ECR login token expiry - reauthentication suggestions

0

We are seeing random ECR docker login token expiry errors in our Jenkins pipelines.

docker: Error response from daemon: pull access denied for my-account.dkr.ecr.us-east-1.amazonaws.com/my-project/myapp/myimage:myversion, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.

As per AWS document, https://docs.aws.amazon.com/AmazonECR/latest/public/public-troubleshooting.html, we need to reauthenticate the ecr login. We use ecr get-login within our Jenkinsfile to run activities within a docker container as below,

sh '$(aws ecr get-login --no-include-email --region us-east-1)'
            withDockerContainer(image: 'myaccount.dkr.ecr.us-east-1.amazonaws.com/my-project/myapp/my-image:my-version'){

We were planning to update the ecr login section over a try-catch and ensure the reauthentication is done in the catch block. We would like to get a confirmation if there are any other better ways of handling this error.  

try {
                        sh '$(aws ecr get-login --no-include-email --region us-east-1)'
                    } catch (Exception e) {
                        sh 'docker logout "myaccount.dkr.ecr.us-east-1.amazonaws.com"'
                        sh '$(aws ecr get-login --no-include-email --region us-east-1)'
                    }
トピック
コンテナ
タグ
Amazon Elastic Container レジストリ (ECR)
言語
English
AWS-user-Radhika
質問済み 1年前974ビュー
1回答
1
承認された回答

If you set up a Jenkinsfile like this, don't you log in every time?
https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html
https://www.jenkins.io/doc/book/pipeline/docker/

pipeline{
    agent any
    stages{
        stage('Hoge') {
            steps{
                script{
                    docker.withRegistry("https://${AWSAccountID}.dkr.ecr.${ECR Region}.amazonaws.com") {
                        sh("`aws ecr get-login --no-include-email --region ${ECR Region}`")
                        docker.image('my-custom-image').inside {
                          sh("echo 'hoge'")
                        }
                    }
                }
            }
        }
    }
}
profile picture
エキスパート
Riku_Kobayashi
回答済み 1年前
profile pictureAWS
エキスパート
Didier_Durand
レビュー済み 1年前
  • Didier_Durand エキスパート
    1年前

    AFAIK, this one is better than the try / catch: I don't see why the second login in cache block would succeed if initial on just failed. They will be quasi-simultanous. The issue that you described initially is more of a timeout happening long after initial login so that will be ineffective.

  • AWS-user-Radhika
    1年前

    The token expiry happens quite randomly. It does not happen always. So if indeed the token has expired, we need to be doing reauthentication as per AWS suggestion. Hence, believed that the try catch will ensure that it will perform the reauthentication in case of failure.

  • AWS-user-Radhika
    1年前

    Are you suggesting that changing to docker.withRegistry will solve the issue for us? May I know why the withDockerContainer gives back such issues?

  • Riku_Kobayashi エキスパート
    1年前

    I'm not sure why withDockerContainer would cause the token expiration issue, but I believe docker.withRegistry logs you in every time you run with a build.

  • AWS-user-Radhika
    1年前

    Understood. I will give this a try. There is also a recommendation to cleanup current user docker credentials using sh 'rm ~/.docker/config.json || true' on https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/client-and-managed-controllers/withdockerregistry-step-fails-with-amazon-ecr and https://plugins.jenkins.io/amazon-ecr/. If I include that it is introducing delays in the docker image download and times out. Is the docker credentials cleanup necessary?

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ