Login to AWS ECR fails

[mj3c]

I am trying to execute the GitHub action to push a Docker image to AWS ECR, specifically this one. However, even after supplying the access key, secret key and region, this is the output:

[...] Run Login to Amazon ECR
[...] ☁  git clone 'https://github.com/aws-actions/amazon-ecr-login' # ref=v1
[...] 🐳  docker cp src=/home/milosjajac/.cache/act/aws-actions-amazon-ecr-login@v1 dst=/actions/
[...] ⚙  ::set-output:: registry=072822818685.dkr.ecr.eu-central-1.amazonaws.com
[...] ❗  ::error::Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.
[...] ❌  Failure - Login to Amazon ECR

Here is a job definition in order to reproduce this:

    steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: eu-central-1

    - name: Login to Amazon ECR
      id: login_ecr
      uses: aws-actions/amazon-ecr-login@v1

There is a docker login in the index.js of that action, I guess that is where it fails, but how can I make this pass? Am I doing something wrong or would this be a feature request?

[cplee]

Check out #107

Need to override the docker image that act uses

[mj3c]

Ahh yes, I checked the other issues but not thoroughly enough.

It is a bit inconvenient that you have to choose between full compatibility with GitHub Actions by default and making your users pull an 18GB image, but your choice makes sense I think. This can be closed.

In any case, thank you for a prompt response and for providing an option for this!

[sirkuttin]

Check out #107

Need to override the docker image that act uses

which docker image can I use today to be able to perform the login via OIDC?

[matwerber1]

Check out #107
Need to override the docker image that act uses

which docker image can I use today to be able to perform the login via OIDC?

+1, I think I'm running into this issue.

Trying to use AWS's OIDC action. Partial excerpt below:

name: AWS CDK Deploy

on:
  push:
    branches:
      - main
      - develop

permissions:
  id-token: write
  contents: read

jobs:
  AssumeRoleAndDeploy:
    runs-on: ubuntu-latest
    environment:
      name: ${{ (github.ref == 'refs/heads/main') && 'aws_prod_v2' || 'aws_staging_v2' }}
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3

      - name: Print Environment Variables for Debugging
        run: |
          echo "Repository Name: ${{ github.repository }}"
          echo "Branch Name: ${{ github.ref_name }}"
          echo "Environment Name: ${{ vars.environment }}"
          echo "AWS Account ID: ${{ vars.AWS_ACCOUNT_ID }}"
          echo "AWS Region: ${{ vars.AWS_REGION }}"
          echo "IAM Role Name: ${{ vars.GH_ACTION_IAM_ROLE_NAME }}"


      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4.0.1
        with:
          role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.GH_ACTION_IAM_ROLE_NAME }}"
          aws-region: ${{ vars.AWS_REGION }}
          role-skip-session-tagging: true # required for the OIDC method of credential retrieval we're using

      - name: Log assumed IAM role
        run: aws sts get-caller-identity

Getting this error:

[AWS CDK Deploy/AssumeRoleAndDeploy]   🐳  docker exec cmd=[node /var/run/act/actions/aws-actions-configure-aws-credentials@v4.0.1/dist/index.js] user= workdir=
| It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.

[ChristopherHX]

which docker image can I use today to be able to perform the login via OIDC?

none.

If you could authenticate using act via OIDC to aws, an attacker could do it as well.

• oidc connect token are signed by the GitHub Actions Service
• There is no api to manually request access to get an OIDC token URL
• The OIDC token should create a trust between your aws account and GitHub Actions
• The OIDC is meant to be used to limit trust to deployment environments, these jobs itself have additionl protections

At most you could get locally a self-signed oidc token, which is rejected by aws as long as you don't register your own jwk key as a trusted oidc source.

If you want to go the self-signed oidc way I can help you to get this working by porting my fake oidc provider to nektos/act. This is implemented in my similiar project for emulatating GitHub Actions.