Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS IoT Greengrass: Running component as docker image results in "no basic auth credentials" error

0

I am testing one of my greengrass components as a docker image but keep running "no basic auth credentials" when the docker run command executes in my recipe file. I followed the guide here as closely as I could: https://docs.aws.amazon.com/greengrass/v2/developerguide/run-docker-container.html#run-docker-container-private-ecr

I created the image and stored in a private ecs repository. I installed docker (on raspberry pi 4b) version 20.10.24 which is the highest version supported according to the docs. I added ecr permissions to my greengrass token exchange role, and added permissions for the token exchange role to the ecr repo. I deployed TokenExchangeService and DockerApplicationManager.

Here is my recipe: ComponentDependencies: aws.greengrass.TokenExchangeService: VersionRequirement: ~2.0.0 aws.greengrass.DockerApplicationManager: VersionRequirement: ~2.0.0 ... Manifests:

  • Platform: os: all Lifecycle: Run: | docker ************.dkr.ecr.us-west-2.amazonaws.com/uicomponent-staging:latest Artifacts:
    • URI: "************.dkr.ecr.us-west-2.amazonaws.com.dkr.ecr.us-west-2.amazonaws.com/uicomponent-staging:latest"

Here are my component logs when greengrass attempts to start the component: Unable to find image '.dkr.ecr.us-west-2.amazonaws.com/uicomponent-staging:latest' locally. docker: Error response from daemon: Head "https://.dkr.ecr.us-west-2.amazonaws.com/v2/uicomponent-staging/manifests/latest": no basic auth credentials..

Its seems like docker is not receiving the credentials that the token exchange service should be supplying. Any insight into this would be greatly appreciated.

Topics
Internet of Things (IoT)Containers
Tags
Amazon Elastic Container Registry (ECR)AWS IoT CoreContainersAWS IoT Greengrass
Language
English
asked 9 months ago176 views
2 Answers
1

It appears that the issue you're experiencing is related to Docker authentication when trying to pull an image from a private Amazon ECR repository within your AWS IoT Greengrass component. This "no basic auth credentials" error typically occurs when Docker is unable to authenticate with ECR. Here are a few steps you can take to troubleshoot and potentially resolve this issue:

  1. Ensure that the TokenExchangeService component is running correctly. This component is responsible for providing the necessary credentials to access ECR. Check the logs of this component for any errors or issues.

  2. Verify that the IAM role associated with your Greengrass core device has the necessary permissions to access the ECR repository. The role should have, at minimum, the AmazonEC2ContainerRegistryReadOnly policy attached, or a custom policy that includes the ecr:BatchGetImage and ecr:GetDownloadUrlForLayer permissions.

  3. Check if there are any issues with the Docker credential helper. Some versions of Docker may have problems with the credential helper, particularly on Windows systems. If you're using a Windows system, you might need to rename the docker-credential-wincred program and update the Docker configuration file.

  4. Try manually authenticating Docker to ECR on your Greengrass core device using the AWS CLI. Run the following command:

    aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ************.dkr.ecr.us-west-2.amazonaws.com

    If this command succeeds, it indicates that your IAM permissions are correct, and the issue might be with how Greengrass is interacting with Docker.

  5. Ensure that your Docker version is compatible with the Greengrass DockerApplicationManager component. You mentioned using version 20.10.24, which should be compatible, but it's worth double-checking the Greengrass documentation for any specific version requirements or known issues.

  6. Review your component recipe. Ensure that the URI in the Artifacts section matches exactly with the image name in your Run command. Also, make sure there are no typos in the ECR repository URL.

If these steps don't resolve the issue, you may need to enable more verbose logging for both Docker and Greengrass to get more detailed error information. This can help identify if the problem is occurring at the Docker level, the Greengrass level, or somewhere in between.
Sources
Troubleshooting Docker commands and issues when using Amazon ECR - Amazon ECR
Can't pull a docker image from a private ECR repository inside an EC2 instance | AWS re:Post
Run a Docker container - AWS IoT Greengrass

answered 9 months ago
EXPERT
reviewed 9 months ago
0

even i am facing the same error, could you please help me if you have the answer

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content