Unable to push/pull images from ECR on AWS GovCloud

[bartlett-ops]

This resource is incompatible with ECR on AWS GovCloud. This is because the version of Amazon ECR Credentials Helper is very out of date.

Reproduction

resources:
  - name: my-image
    type: docker-image
    source:
      repository: 000000000000.dkr.ecr.us-gov-west-1.amazonaws.com/my-image
      aws_access_key_id: XXXXXXXXXXX
      aws_secret_access_key: YYYYYYYYYYY
  - name: repo
    type: git
    source:
      uri: example.git
jobs:
    - get: repo
    - put: my-image
      params:
        build: repo
        dockerfile: Dockerfile
      get_params:
        save: true

I get the following build output from concourse:

Successfully built 8126927e3d7a
Successfully tagged 000000000000.dkr.ecr.us-gov-west-1.amazonaws.com/my-image:latest
Removing login credentials for https://index.docker.io/v1/
The push refers to repository [000000000000.dkr.ecr.us-gov-west-1.amazonaws.com/my-image]
6cd6a1e2a03a: Preparing
86fbec0e27c2: Preparing
01b36ebbd637: Preparing
758cc9a35e2b: Preparing
0ca51c72c51a: Preparing
879c0d8666e3: Preparing
20a7b70bdf2f: Preparing
3fc750b41be7: Preparing
beee9f30bc1f: Preparing
758cc9a35e2b: Waiting
0ca51c72c51a: Waiting
879c0d8666e3: Waiting
beee9f30bc1f: Waiting
3fc750b41be7: Waiting
20a7b70bdf2f: Waiting
no basic auth credentials

On inspection of the log file ~/.ecr/log/ecr-login.log.2022-08-05-13 I see the following:

2022-08-05T13:28:14Z [DEBUG] Checking file cache for 000000000000
2022-08-05T13:28:14Z [DEBUG] Calling ECR.GetAuthorizationToken for 000000000000
2022-08-05T13:28:14Z [ERROR] Error retrieving credentials: MissingEndpoint: 'Endpoint' configuration is required for this service

Resolution

I attempted to update go.mod to use the following:

require (
  ...
  github.com/awslabs/amazon-ecr-credential-helper v0.6.0
  ...
)

But I'm not much of a Go programmer, so couldn't get the container to build properly.

Workaround

As a workaround I added the updated binary after the container is built which solved the problem.

FROM concourse/docker-image-resource:1.6.3
ADD --chown=root:root https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login /opt/resource/ecr-login
RUN chmod +x /opt/resource/ecr-login

Related Issues

• GovCloud endpoint support for ECR #276

[xtremerui]

The lib is very outdated indeed. PR is welcome.

[bartlett-ops]

This is my attempt at a PR: #347
Unfortunately the build fails with:

Step 16/27 : RUN go build -o /assets/ecr-login github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cmd
 ---> Running in 3fbc557b1092
no required module provides package github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cmd; to add it:
        go get github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cmd

Running the suggested command errors with:

root@09a0f42ba1b0:/concourse/docker-image-resource# go get github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cmd
go: module github.com/awslabs/amazon-ecr-credential-helper/ecr-login@upgrade found (v0.0.0-20220802171026-617dc7abb2ea), but does not contain package github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cmd

I'm not really sure how to proceed here. My guess is that the ecr-login package has been moved renamed?