kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

Uable to push image to Cross account ECR

Open ngoyal16 opened this issue 3 years ago • 1 comments

Actual behavior

We are trying to push the image to ECR which exist in another account 2. Push Permission has been granted to the account 1 using resource policy. If we push using docker with aws ecr creds helper it is working but with kaniko it seems not working following are the logs from kaniko

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED].dkr.ecr.[MASKED].amazonaws.com/test:latest": Post "https://[MASKED].dkr.ecr.[masked].amazonaws.com/v2/test/blobs/uploads/": EOF

logs from .ecr/log/* folder

time="2022-08-25T17:39:43Z" level=debug msg="Retrieving credentials" region=[MASKED] registry=[MASKED] serverURL=[MASKED].dkr.ecr.[MASKED].amazonaws.com service=ecr time="2022-08-25T17:39:43Z" level=debug msg="Checking file cache" registry=[MASKED] time="2022-08-25T17:39:43Z" level=debug msg="Calling ECR.GetAuthorizationToken" registry=[MASKED] time="2022-08-25T17:39:43Z" level=debug msg="Saving credentials to file cache" registry=[MASKED] service=ecr

ngoyal16 avatar Aug 25 '22 17:08 ngoyal16

I aws able to get around the cross-account push by mounting the aws config file and switching profile names. I building the image in dev account and pushing to the staging account. Hope this helps.

apiVersion: v1
kind: ConfigMap
metadata:
  name: kaniko-aws-config
  labels:
    app: kaniko
data:
  config: |
    [profile default]
    region = us-east-1
    role_arn = arn:aws:iam::<account-id>:role/<role-name>
    web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token

    [profile staging]
    region = us-east-1
    role_arn = arn:aws:iam::<account-id>:role/<role-name>
    source_profile = default

Container Spec

image: gcr.io/kaniko-project/executor:debug
env:
  - name: AWS_SDK_LOAD_CONFIG
    value: "true"
  - name: AWS_CONFIG_FILE
    value: "/root/.aws/config"
  - name: AWS_PROFILE
    value: staging
volumeMounts:
  - name: aws-config
    mountPath: /root/.aws/config
    subPath: config

michaelsatish avatar Sep 09 '22 14:09 michaelsatish

I've run into this issue as well

delwaterman avatar Jan 13 '23 19:01 delwaterman

Hi, I'm actually running this error, I'm actually unable pushing img to ECR with cross account. I getting EOF error.

philippebn avatar Nov 04 '23 15:11 philippebn

Any Updates?

dev-whoan avatar Nov 07 '23 14:11 dev-whoan