Gitlab CI/CD AWS ECR authorization "Error response from daemon: login attempt to https://XXXXXXXX failed with status: 400 Bad Request"

Question

I have a problem with Gitlab CI/CD, where I have a runner that tries to authorize into AWS ECR. The .gitlab-ci.yaml file looks like this

stages:
  - build
  - deploy

build_and_push_docker:
  stage: build
  image: docker:19.03.12
  script:
    - docker build -t repo-image .
    - docker tag ata-repo-image:latest $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/repo:latest
    - echo $AWS_ACCESS_KEY_ID | docker login -u AWS --password-stdin https://$AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com
    - docker push $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/repo:latest

download_signed_files_from_ecr:
  stage: deploy
  image: amazon/aws-cli:latest
  entrypoint: ["/bin/sh", "-c"]
  script:
    - aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
    - aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
    - aws configure set default.region us-east-1
    - docker pull $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/repo:latest
    - docker run --rm -v $(pwd):/downloads $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/repo:latest cp /var/www/html/signed/*.deb /downloads/
  artifacts:
    paths:
      - /downloads
  only:
    - master

I get this error when I tried to run it

$ docker tag ata-repo-image:latest $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/repo:latest
$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com
/bin/sh: eval: line 139: aws: not found
Error: Cannot perform an interactive login from a non TTY device
Cleaning up project directory and file based variables
00:00
ERROR: Job failed: exit code 1

Login and AWS Policy look okay. Authorization via the terminal was performed without any issue so I suppose there might be a problem with the runner configuration or something like that.

Answer 1

You can try adding something like the following in your build stage:

  - |
    apk update && apk --no-cache add binutils curl wget git jq && apk del libc6-compat && \
      GLIBC_VER=2.34-r0 && \
      curl -sL https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub -o /etc/apk/keys/sgerrand.rsa.pub && \
      curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-${GLIBC_VER}.apk && \
      curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-bin-${GLIBC_VER}.apk && \
      curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-i18n-${GLIBC_VER}.apk && \
      apk add --no-cache --force-overwrite glibc-${GLIBC_VER}.apk glibc-bin-${GLIBC_VER}.apk glibc-i18n-${GLIBC_VER}.apk && \
      /usr/glibc-compat/bin/localedef -i en_US -f UTF-8 en_US.UTF-8 && \
      curl -sL https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && \
      unzip awscliv2.zip > /dev/null && aws/install && ln -s $(which awscliv2) /usr/bin/aws

This should add needed libraries and install AWS CLI which is missing in the docker image you are using for your build stage.

It is not shown in the .gitlab-ci.yaml example you provided with your question, but in your posted error response, a second line:

$ aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com
/bin/sh: eval: line 139: aws: not found

indicates that you are trying to authorize using AWS CLI, for which it printed an error aws: not found.