Skip to content

Can not authenticate a job with ECR, DOCKER_AUTH_CONFIG variable doesn't work

I'm running runners on our own server in docker container. I want to use a job image from out\r private ECR repository. I'm following the https://docs.gitlab.com/ee/ci/docker/using_docker_images.html doc and added the docker-credential-ecr-login package to the runner alpine image. When running the runner, I pass AWS credentials:

docker run \
 -e AWS_ACCESS_KEY_ID=$ACCESS_KEY \
 -e AWS_SECRET_ACCESS_KEY=$SECRET_KEY \
 -e CACHE_BUCKET=<bucket> \
 -e CACHE_REGION=$CACHE_REGION \
 -e TOKEN=$TOKEN \
 --name=gitlab-runner-XX \
 --restart unless-stopped \
 -m 2G \
 --privileged \
 -v /var/run/docker.sock:/var/run/docker.sock \
 $DOCKER_REGISTRY/gitlab-runner-on-prem:$TAG

In the .gitlab-ci.yml I've added the following variable:

variables:
  DOCKER_AUTH_CONFIG: '{"credsStore": "ecr-login"}'

But when I'm running this job with a private image, I'm getting the following error:

Pulling docker image <account-id>.dkr.ecr.ap-northeast-1.amazonaws.com/<image> ...
WARNING: Failed to pull image with policy "always": Error response from daemon: Head "https://<account-id>.dkr.ecr.ap-northeast-1.amazonaws.com/v2/<image>/manifests/latest": no basic auth credentials (manager.go:205:0s)
ERROR: Preparation failed: failed to pull image "<account-id>.dkr.ecr.ap-northeast-1.amazonaws.com/<image>" with specified policies [always]: Error response from daemon: Head "https://<account-id>.dkr.ecr.ap-northeast-1.amazonaws.com/v2/<image>/manifests/latest": no basic auth credentials (manager.go:205:0s)

When I get into the runner running container, I see AWS credentials and can access the helper:

# env
DOCKER_MACHINE_VERSION=0.16.2
HOSTNAME=f0abb1fdae2a
SHLVL=1
HOME=/root
GITLAB_RUNNER_VERSION=14.1.0
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_ACCESS_KEY_ID=<key>
AWS_SECRET_ACCESS_KEY=<secret>
PWD=/runner-custom

# docker-credential-ecr-login list
{"https://public.ecr.aws":"AWS"}

# docker-credential-ecr-login version
0.6.3

What I'm doing wrong?

Edited by Alex Pravdin