dockerpowershelljenkinskubernetes

Docker login on ECR fails with 400 Bad Request on Powershell from Jenkins

I've problem running docker login against AWS ECR with Powershell.
More specifically I'm running it from a Jenkins pipeline on Windows container (inside a K8S cluster) using the powershell step as follow

powershell "aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin ****.dkr.ecr.eu-central-1.amazonaws.com"

but it fails with following error:

09:24:32  At C:\Jenkins\agent\workspace\test\awsIamRole-Test@tmp\durable-e2ffd0da\powershellWrapper.ps1:3 char:1
09:24:32  + & powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Comm ...
09:24:32  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
09:24:32      + CategoryInfo          : NotSpecified: (Error response ...400 Bad Request    :String) [], RemoteException
09:24:32      + FullyQualifiedErrorId : NativeCommandError

The strange behavior is that if I run the command manually on the container (both on my local machine and on the cluster) everything works fine and the login is successful. Below there's the container's Dockerfile.

# escape=`
FROM mcr.microsoft.com/windows/servercore:1809

SHELL ["powershell"] 

RUN Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
RUN choco install jq docker -y 
RUN choco install awscli --version=2.1.15 -y

Since the container runs on an EC2 instance and I need to run Docker inside the container, I bind to Docker socket of underlying EC2 machine when launching the container on K8S, as shown below (it works since docker ps from the pipeline show the correct results).

  - image: "****.dkr.ecr.eu-central-1.amazonaws.com/jenkins-container-templates/docker-awscli2-windows:latest"
    name: "docker-awscli2-windows"
    tty: true
    volumeMounts:
    - mountPath: "\\\\.\\pipe\\docker_engine"
      name: "docker-pipe"
  volumes:
  - hostPath:
      path: "\\\\.\\pipe\\docker_engine"
    name: "docker-pipe"

What could be the problem?

Solution

  • I managed to solve it.

    Problem cause

    It seems that problem is related to how pipes are managed when running powershell on Jenkins and for some reason (that I haven't figured out yet), a new line is added before the token, so that instead of

    token

    the second part of the command get as input

    
token

    and it probably process it like there is no input at all and the --password-stdin flag make it fail with BadRequest status.

    Workaround

    Since I was unable to remove this new line, I used as workaround

    powershell 'docker login --username AWS -p $(aws ecr get-login-password --region eu-central-1 ) ****.dkr.ecr.eu-central-1.amazonaws.com'