buildspec.yml to push to ECR is throwing this error "Command did not exit successfully $(aws ecr get-login --no-include-email --region us-east-1)"

Question

I am learning on the codepipeline to push the build using CodeBuild to ECR. Below is my buildspec.yml file and the error from the Codebuild logs. Can anyone shed some lights what I am doing wrong? Thanks in advance.

buildspec.yml

version: 0.2

phases:

pre_build:

commands:
  - echo Logging in to Amazon ECR.....
  - aws --version
  - $(aws ecr get-login --no-include-email --region us-east-1)
  - REPOSITORY_URI=989066xxxxxx.dkr.ecr.us-east-1.amazonaws.com/ecs-cicd-nginx
  - IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)

build:

commands:
  - echo Build started on `date`
  - echo Building the Docker image...
  - docker build -t $REPOSITORY_URI:$IMAGE_TAG .

post_build:

commands:
  - echo Build completed on `date`
  - echo Pushing the Docker images...
  - docker push $REPOSITORY_URI:$IMAGE_TAG
  - echo Writing image definitions file...
  - printf '[{"name":"ecs-cicd-nginx","imageUri":"%s"}]' $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json

artifacts: files: imagedefinitions.json

error logs: [Container] 2021/07/13 11:13:22 Running command aws --version aws-cli/2.1.38 Python/3.8.8 Linux/4.14.225-121.362.amzn1.x86_64 exec-env/AWS_ECS_EC2 exe/x86_64.ubuntu.20 prompt/off

[Container] 2021/07/13 11:13:26 Running command $(aws ecr get-login --no-include-email --region us-east-1)

usage: aws [options] [ ...] [parameters] To see help text, you can run:

aws help aws help aws help

aws: error: argument operation: Invalid choice, valid choices are:

batch-check-layer-availability | batch-delete-image
batch-get-image | complete-layer-upload
create-repository | delete-lifecycle-policy
delete-registry-policy | delete-repository
delete-repository-policy | describe-image-scan-findings
describe-images | describe-registry
describe-repositories | get-authorization-token
get-download-url-for-layer | get-lifecycle-policy
get-lifecycle-policy-preview | get-registry-policy
get-repository-policy | initiate-layer-upload
list-images | list-tags-for-resource
put-image | put-image-scanning-configuration
put-image-tag-mutability | put-lifecycle-policy
put-registry-policy | put-replication-configuration
set-repository-policy | start-image-scan
start-lifecycle-policy-preview | tag-resource
untag-resource | upload-layer-part
get-login-password | wait
help

[Container] 2021/07/13 11:13:26 Command did not exit successfully $(aws ecr get-login --no-include-email --region us-east-1) exit status 252 [Container] 2021/07/13 11:13:26 Phase complete: PRE_BUILD State: FAILED [Container] 2021/07/13 11:13:26 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: $(aws ecr get-login --no-include-email --region us-east-1). Reason: exit status 252

Answer 1

add this permission to role: "AmazonEC2ContainerRegistryFullAccess"

Answer 2

For me the problem was I was using $() with get-login-password command

- $(aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin DOCKER_ID.dkr.ecr.REGION.amazonaws.com)

Removing $() worked:

- aws ecr get-login-password --region REGION | docker login --username AWS --password-stdin DOCKER_ID.dkr.ecr.REGION.amazonaws.com

Answer 3

The problem here is probably the codebuild permission, the role should be like the one below. Pay attention to ecr:GetAuthorizationToken, it's the one you are missing. Without this permission you cannot login on ECR.

CodeBuildRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - codebuild.amazonaws.com
        Action:
          - "sts:AssumeRole"
  Policies:
    - PolicyName: "PushImageToEcr"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - ecr:BatchGetImage
              - ecr:BatchCheckLayerAvailability
              - ecr:CompleteLayerUpload
              - ecr:GetDownloadUrlForLayer
              - ecr:InitiateLayerUpload
              - ecr:PutImage
              - ecr:UploadLayerPart
              - ecr:GetAuthorizationToken
            Resource: "*"
    - PolicyName: "CodeBuildLogsRole"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
            Resource:
              - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*"
    - PolicyName: "GetAndPutArtifacts"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Action:
              - s3:GetObject
              - s3:PutObject
              - s3:ListBucket
            Resource:
              - !GetAtt ArtifactBucket.Arn
              - !Sub ${ArtifactBucket.Arn}/*

Answer 4

As of the CLI documentation get-login is deprecated in version 2.x of the CLI. It does not exist in the most recent versions.

Use get-login-password instead.

Here's an example from the CodeBuild documentation: aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com