jib: ECR authentication 401 error

Hi, I am trying to push image to my private ECR registry using specific credentials and receive 401 error with com.google.cloud.tools.jib.registry.RegistryUnauthorizedException.

Here is my gradle file:

plugins {
	id 'org.springframework.boot' version '2.1.3.RELEASE'
	id 'java'
  	id 'com.google.cloud.tools.jib' version '1.0.2'
}

apply plugin: 'io.spring.dependency-management'

group = 'jib.example'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '1.8'

jib {
  to {
    image = 'ecrregistryname/imagename'
    auth {
      username = 'myusername'
      password = 'mypass'
    }
  }
}

repositories {
	mavenCentral()
}

dependencies {
	implementation 'org.springframework.boot:spring-boot-starter'
	testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

When I run ‘./gradlew jib’ command for build and send image to registry I receive this stack trace:

➜  demo ./gradlew jib
Starting a Gradle Daemon (subsequent builds will be faster)

Containerizing application to ecrregistryname/imagename...

Container entrypoint set to [java, -cp, /app/resources:/app/classes:/app/libs/*, jib.example.demo.DemoApplication]
Executing tasks:
[===================           ] 63.3% complete
> pushing blob sha256:1d5094f53ae36d97e43cba46c...
> pushing blob sha256:fa01784221323d6d567b4da1c...
> pushing blob sha256:92e3c1d4d4f8e6d49263af6c8...
> pushing blob sha256:5f5edd681dcbc3a4a9df93e20...
> pushing blob sha256:3e010093287c245d72a774033...
> pushing blob sha256:41d633039bbf795b04c097c6f...
> pushing blob sha256:6cf9238d11686a3fe2c4cf833...

> Task :jib FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':jib'.
> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Build image failed, perhaps you should make sure your credentials for 'ecrregistryname' are set up correctly

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.
Got more than one input Future failure. Logging failures after the first
com.google.cloud.tools.jib.registry.RegistryUnauthorizedException: Unauthorized for ecrregistryname/imagename
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:271)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.callWithAllowInsecureRegistryHandling(RegistryEndpointCaller.java:152)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:142)
        at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint(RegistryClient.java:356)
        at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob(RegistryClient.java:241)
        at com.google.cloud.tools.jib.builder.steps.PushBlobStep.call(PushBlobStep.java:116)
        at com.google.cloud.tools.jib.builder.steps.PushBlobStep.call(PushBlobStep.java:40)
        at com.google.common.util.concurrent.CombinedFuture$CallableInterruptibleTask.runInterruptibly(CombinedFuture.java:180)
        at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:57)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.google.api.client.http.HttpResponseException: 401 Unauthorized
        at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1102)
        at com.google.cloud.tools.jib.http.Connection.send(Connection.java:200)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:232)
        ... 11 more

Got more than one input Future failure. Logging failures after the first
com.google.cloud.tools.jib.registry.RegistryUnauthorizedException: Unauthorized for 555818183070.dkr.ecr.us-east-2.amazonaws.com/jib-demo
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:271)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.callWithAllowInsecureRegistryHandling(RegistryEndpointCaller.java:152)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:142)
        at com.google.cloud.tools.jib.registry.RegistryClient.callRegistryEndpoint(RegistryClient.java:356)
        at com.google.cloud.tools.jib.registry.RegistryClient.checkBlob(RegistryClient.java:241)
        at com.google.cloud.tools.jib.builder.steps.PushBlobStep.call(PushBlobStep.java:116)
        at com.google.cloud.tools.jib.builder.steps.PushBlobStep.call(PushBlobStep.java:40)
        at com.google.common.util.concurrent.CombinedFuture$CallableInterruptibleTask.runInterruptibly(CombinedFuture.java:180)
        at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:57)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.google.api.client.http.HttpResponseException: 401 Unauthorized
        at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1102)
        at com.google.cloud.tools.jib.http.Connection.send(Connection.java:200)
        at com.google.cloud.tools.jib.registry.RegistryEndpointCaller.call(RegistryEndpointCaller.java:232)
        ... 11 more
* Get more help at https://help.gradle.org

As I understand this could be an issue with http/https proxy. In documentation I found this section - https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#how-do-i-configure-a-proxy, but I didn’t find how exactly build command should look like in my simple case to fix this issue. Could you please create some example how to do it?

Also, I tried to use allowInsecureRegistries flag, but this wasn’t have any impact on this issue.

Thank you!

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 15 (7 by maintainers)

Most upvoted comments

Yes, I misunderstood the idea of proxy here. This is exactly not what I looking for. @briandealwis @chanseokoh you were right the problem was with credentials. Instead of using credentials provided by ‘aws ecr get-login --no-include-email’ I was using user credentials. Thank you for help! The gradle.build version which work for me looks like this:

plugins {
	id 'org.springframework.boot' version '2.1.3.RELEASE'
	id 'java'
  	id 'com.google.cloud.tools.jib' version '1.0.2'
}

apply plugin: 'io.spring.dependency-management'

group = 'jib.example'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '1.8'

jib {
  to {
    image = '555818183070.dkr.ecr.us-east-2.amazonaws.com/jib-demo'
    auth {
      username = 'AWS'
      password = 'aws ecr get-login --no-include-email --region us-east-2'.execute().text.split(" ")[5]
    }
  }
}

repositories {
	mavenCentral()
}

dependencies {
	implementation 'org.springframework.boot:spring-boot-starter'
	testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

Also, as the information that for login to ECR we should use a password from ‘aws ecr get-login --no-include-email’ is not present in jib README file maybe it’s something that can be improved.

Thanks!

mboldysh on Jul 26, 2020

Hi @kunalnov Looks like your Gitlab CI job doesn’t have AWS CLI installed so that when you run aws ecr get-login --no-include-email --region ap-southeast-2 in the password section you received this error. So, you need to install AWS CLI and login to you AWS account before run gradle command

mboldysh on Oct 10, 2021

Hi @briandealwis. As I understand there are two opportunities for login to ECR which described here - https://github.com/GoogleContainerTools/jib/tree/master/jib-gradle-plugin#authentication-methods. I want to use the second approach - “Using Specific Credentials” which as I understand doesn’t require any credential helpers, but only username and password, is it correct?

mboldysh on Mar 14, 2019