AWS ECR GetAuthorizationToken Issue

Question

I have Jenkins setup for deploying my docker images to a Amazon ECR repository.
I have enabled 2FA in my AWS account for the IAM user. I have attached all admin polices to my IAM User. I am following the below command to push my docker image source to Amazon ECR repository.

aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token

Ref Link : https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Jenkins Code:

export aws configure

export AWS_ACCESS_KEY_ID=AKIAJ6CAU****

export AWS_SECRET_ACCESS_KEY=TRXaGmEHN5******

export AWS_DEFAULT_REGION=eu-west-2

$(aws ecr get-login --no-include-email --region eu-west-2)

docker tag add-product:latest 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER

docker push 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER

I have facing the issue when I deploy to Amazon ECR.

1. "An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials"

2. "An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code"

Ref Link : AWS ECR GetAuthorizationToken

Answer 1

See if the AWS-generated AWS_SECRET_ACCESS_KEY has /. If you have the / generate a new AWS_SECRET_ACCESS_KEY without and add that it will work.

Answer 2

anyway ECR token has a short expiry cycle, you can try to use ecr credential helper instead. and point your docker to leverage on the helper

{
"credHelpers": {
    "aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}

}

refer: https://lwpro2.wordpress.com/2019/10/30/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/