Push a container to Lightsail with AssumeRole and MFA

Question

We are using roles as best practices to access our various environments. I have set up my `~/.aws/config` with the role:
```
[profile dev]
source_profile=default
role_arn=arn:aws:iam::987654321:role/MyRole
mfa_serial = arn:aws:iam::123456789:mfa/MyUser
```
This works fine and I am prompted for my MFA code when running cli commands as expected and all is ok.

However, when I run `aws lightsail push-container-image` with the Lightsail Control (lightsailctl) plugin I get an error:

```
AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
Command '['lightsailctl', '--plugin', '--input-stdin']' returned non-zero exit status 1.
```

I tried the other method of calling `aws lightsail register-container-image`. This requires the `--digest` flag, so I built and pushed my image to our GitLab image registry:

```
docker build -t registry.gitlab.com/myorg/myimage:latest .
docker push registry.gitlab.com/myorg/myimage:latest
```
I then get the digest using `docker images --digests`. But when I run `aws lightsail register-container-image` I get 
```
An error occurred (NotFoundException) when calling the RegisterContainerImage operation: Image with digest "sha256:7494ec375bd1948670750289069cfbb0caa7c08eaae821674ee5a54b0ee422d5" not found.
```
I get the same `NotFoundException` if I push to AWS ECR.

If I try to push to the Lightsail ECR reference after login I cannot connect and the layers are stuck retrying...

```
PS > cat pwd.txt | docker login 585224773020.dkr.ecr.ap-southeast-2.amazonaws.com -u AWS --password-stdin
Login Succeeded
PS > docker build -t 585224773020.dkr.ecr.ap-southeast-2.amazonaws.com/myorg/myimage:latest .
[+] Building 3.3s (17/17) FINISHED
PS > docker push 585224773020.dkr.ecr.ap-southeast-2.amazonaws.com/myorg/myimage:latest      
The push refers to repository [585224773020.dkr.ecr.ap-southeast-2.amazonaws.com/myorg/myimage]
a7cb1ff97502: Retrying in 10 seconds
762b147902c0: Retrying in 10 seconds
235e04e3592a: Retrying in 10 seconds
6173b6fa63db: Retrying in 10 seconds
9a94c4a55fe4: Retrying in 10 seconds
9a3a6af98e18: Waiting
7d0ebbe3f5d2: Waiting
EOF
```

Accepted Answer

Thanks, yes it appears `mfa_serial` is not useful in this scenario. Here are the steps I took to push an image: 1. Set up your default profile in **~/.aws/credentials** so you can call `get-session-token`: ``` [default] aws_access_key_id=example-access-Key-for-an-IAM-user aws_secret_access_key=example-secret-access-key-for-IAM-user ``` 2. Set up a profile in **~/.aws/credentials** to use with Lightsail: ``` [mfa] aws_access_key_id= aws_secret_access_key= aws_session_token= ``` 3. Create an entry in **~/.aws/config** for your role that will use the `[mfa]` profile: ``` [profile mfa-dev] source_profile=mfa role_arn=arn:aws:iam:::role/ ``` 4. Call `get-session-token`, passing in the token code from your MFA device: ``` $ aws --profile default sts get-session-token --serial-number arn:aws:iam:::mfa/ --token-code xxxxxx ``` 5. This will return credentials in JSON format. Copy the JSON values into your `[mfa]` profile in**~/.aws/credentials** : ``` [mfa] aws_access_key_id= aws_secret_access_key= aws_session_token= ``` 6. Set your environment to use the `[mfa-dev]` profile (this is in Powershell): ``` $env:AWS_PROFILE = "mfa-dev" ``` 7. Push the image ``` $ aws lightsail push-container-image --service-name --label --image ```

Answer

I think you'll need to authenticate with MFA before running the "push" command. These instructions might be helpful: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Push a container to Lightsail with AssumeRole and MFA

Relevanter Inhalt