Push a container to Lightsail with AssumeRole and MFA

0

We are using roles as best practices to access our various environments. I have set up my ~/.aws/config with the role:

[profile dev]
source_profile=default
role_arn=arn:aws:iam::987654321:role/MyRole
mfa_serial = arn:aws:iam::123456789:mfa/MyUser

This works fine and I am prompted for my MFA code when running cli commands as expected and all is ok.

However, when I run aws lightsail push-container-image with the Lightsail Control (lightsailctl) plugin I get an error:

AssumeRoleTokenProviderNotSetError: assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.
Command '['lightsailctl', '--plugin', '--input-stdin']' returned non-zero exit status 1.

I tried the other method of calling aws lightsail register-container-image. This requires the --digest flag, so I built and pushed my image to our GitLab image registry:

docker build -t registry.gitlab.com/myorg/myimage:latest .
docker push registry.gitlab.com/myorg/myimage:latest

I then get the digest using docker images --digests. But when I run aws lightsail register-container-image I get

An error occurred (NotFoundException) when calling the RegisterContainerImage operation: Image with digest "sha256:7494ec375bd1948670750289069cfbb0caa7c08eaae821674ee5a54b0ee422d5" not found.

I get the same NotFoundException if I push to AWS ECR.

If I try to push to the Lightsail ECR reference after login I cannot connect and the layers are stuck retrying...

PS > cat pwd.txt | docker login 585224773020.dkr.ecr.ap-southeast-2.amazonaws.com -u AWS --password-stdin
Login Succeeded
PS > docker build -t 585224773020.dkr.ecr.ap-southeast-2.amazonaws.com/myorg/myimage:latest .
[+] Building 3.3s (17/17) FINISHED
PS > docker push 585224773020.dkr.ecr.ap-southeast-2.amazonaws.com/myorg/myimage:latest      
The push refers to repository [585224773020.dkr.ecr.ap-southeast-2.amazonaws.com/myorg/myimage]
a7cb1ff97502: Retrying in 10 seconds
762b147902c0: Retrying in 10 seconds
235e04e3592a: Retrying in 10 seconds
6173b6fa63db: Retrying in 10 seconds
9a94c4a55fe4: Retrying in 10 seconds
9a3a6af98e18: Waiting
7d0ebbe3f5d2: Waiting
EOF
2 Answers
1

I think you'll need to authenticate with MFA before running the "push" command. These instructions might be helpful: https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Alex
answered 10 months ago
0
Accepted Answer

Thanks, yes it appears mfa_serial is not useful in this scenario. Here are the steps I took to push an image:

  1. Set up your default profile in ~/.aws/credentials so you can call get-session-token:
[default]
aws_access_key_id=example-access-Key-for-an-IAM-user
aws_secret_access_key=example-secret-access-key-for-IAM-user
  1. Set up a profile in ~/.aws/credentials to use with Lightsail:
[mfa]
aws_access_key_id=<not available yet>
aws_secret_access_key=<not available yet>
aws_session_token=<not available yet>
  1. Create an entry in ~/.aws/config for your role that will use the [mfa] profile:
[profile mfa-dev]
source_profile=mfa
role_arn=arn:aws:iam::<account_id>:role/<role>
  1. Call get-session-token, passing in the token code from your MFA device:
$ aws --profile default sts get-session-token --serial-number arn:aws:iam::<account_id>:mfa/<user>  --token-code xxxxxx
  1. This will return credentials in JSON format. Copy the JSON values into your [mfa] profile in**~/.aws/credentials** :
[mfa]
aws_access_key_id=<value from JSON>
aws_secret_access_key=<value from JSON>
aws_session_token=<value from JSON>
  1. Set your environment to use the [mfa-dev] profile (this is in Powershell):
 $env:AWS_PROFILE = "mfa-dev"
  1. Push the image
$ aws lightsail push-container-image --service-name <service> --label <label> --image <image>
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions