Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helper returns success code + empty credential list on network error #479

Open
gondalez opened this issue Feb 1, 2023 · 0 comments
Open

Helper returns success code + empty credential list on network error #479

gondalez opened this issue Feb 1, 2023 · 0 comments

Comments

@gondalez
Copy link

gondalez commented Feb 1, 2023

Problem

When a network request fails, the helper returns an empty result.
This causes docker in turn to fail with a no basic auth credentials error.

Expected

Network error.
Helper returns a nonzero status code and a helpful error message to indicate to docker/user there was an error.

Actual

Network error.
Helper returns 0 (success) and empty result {}.

Repro Steps

Successful login (network enabled)

Status code is 0 as expected:

~ [master●] » docker-credential-ecr-login list
{"https://029672914754.dkr.ecr.us-west-2.amazonaws.com":"AWS","https://324969534254.dkr.ecr.us-west-2.amazonaws.com":"AWS"}
~ [master●] » echo $?
0 # ✅

~/.ecr/log/ecr-login.log

time="2023-02-01T17:06:23+08:00" level=debug msg="Listing credentials"
time="2023-02-01T17:06:25+08:00" level=debug msg="Checking file cache" registry=
time="2023-02-01T17:06:25+08:00" level=debug msg="Calling ECR.GetAuthorizationToken for default registry"
time="2023-02-01T17:06:26+08:00" level=debug msg="Saving credentials to file cache" registry=<snip> service=ecr
time="2023-02-01T17:06:26+08:00" level=debug msg="Checking file cache for ECR Public"
time="2023-02-01T17:06:27+08:00" level=debug msg="couldn't get authorization token for public registry" error="ecr: failed to get authorization token: operation error ECR PUBLIC: GetAuthorizationToken, https response error StatusCode: 400, RequestID: <snip>, api error AccessDeniedException: User: arn:aws:sts::<snip>:assumed-role/<snip> is not authorized to perform: ecr-public:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr-public:GetAuthorizationToken action"

Failed login (network disabled)

Turn off wifi and unplug network cable 😄

Status code expected to be nonzero but is zero:

~ [master●] » docker-credential-ecr-login list
{}
~ [master●] » echo $?
0 # ❗️🐞

~/.ecr/log/ecr-login.log

time="2023-02-01T17:10:28+08:00" level=debug msg="Listing credentials"
time="2023-02-01T17:10:31+08:00" level=debug msg="Could not fetch credentials for cache prefix, disabling cache" error="operation error SSO: GetRoleCredentials, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Get \"https://portal.sso.us-west-2.amazonaws.com/federation/credentials?account_id=029672914754&role_name=LocalDevelopment\": dial tcp: lookup portal.sso.us-west-2.amazonaws.com on [::1]:53: read udp [::1]:59700->[::1]:53: read: connection refused"

Note

I suspect this happens for invalid requests (4xx) as well as network errors, but I have no proof of that at this time.
@gondalez gondalez changed the title Helper returns empty credential list on network error Helper returns success code + empty credential list on network error Feb 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gondalez