https://pulumi.com logo
Title
f

fresh-spring-82225

03/29/2023, 2:51 AM
I’m building a container with
awsx.ecr.Image
in a github action. In update mode it works fine, but in preview mode it fails with this message:
awsx:ecr:Image ([image-name]):
   error: Head "https://***.<http://dkr.ecr.us-east-2.amazonaws.com/v2/[redacted]/manifests/latest|dkr.ecr.us-east-2.amazonaws.com/v2/[redacted]/manifests/latest>": no basic auth credentials
where the URL is my
FROM
image in a private ecr repo. Anyone else seen this peculiar failure mode?
s

steep-toddler-94095

03/29/2023, 4:59 AM
is it consistently failing in
preview
even after you've authenticated with ECR?
f

fresh-spring-82225

03/29/2023, 5:50 AM
Yes. The github action has the following
- name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::[account id]:role/[pulumi role]
          role-session-name: pulumi-up
          role-duration-seconds: 900

      - name: Use Node.js
        uses: actions/setup-node@v3
        with:
          node-version: 16

      - run: yarn install --frozen-lockfile
        working-directory: ${{ env.PULUMI_WORKING_DIRECTORY }}

      - name: PR previews
        if: ${{ github.event_name == 'pull_request' }}
        uses: pulumi/actions@v3
        with:
          command: preview
          comment-on-pr: true
          stack-name: ${{ env.PULUMI_STACK_NAME }}
          work-dir: ${{ env.PULUMI_WORKING_DIRECTORY }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Apply infrastructure update
        if: ${{ github.event_name == 'push' }}
        uses: pulumi/actions@v3
        with:
          command: up
          stack-name: ${{ env.PULUMI_STACK_NAME }}
          work-dir: ${{ env.PULUMI_WORKING_DIRECTORY }}
so the
up
step should have the same authentication as the
preview
step, right?
s

steep-toddler-94095

03/29/2023, 4:55 PM
yeah
up
and
preview
should have the same auth unless
preview
runs code that adds additional auth. if it does not it's puzzling why there is a difference but a main issue here is your github actions workflow does not do ECR login. configuring aws credentials isn't enough to pull from a private ECR repo
f

fresh-spring-82225

03/29/2023, 6:46 PM
ah, thanks for that!
but also strange that the
up
succeeds with out
aws-actions/amazon-ecr-login
🤔
s

steep-toddler-94095

03/29/2023, 9:50 PM
yeah i'm not sure what's up with that 🤷 possibly you are using shared non-ephemeral runners and the
up
jobs just happened to use runners that were already authenticated with ECR from another job?
f

fresh-spring-82225

03/29/2023, 10:32 PM
that possibility is a little worrying