amazon-web-servicesgithub-actionscicdamazon-ecr

github actions Error saving credentials: mkdir /github: permission denied

jobs:
  docker-build-push:
    name: Build and Push to ECR
    runs-on: ubuntu-latest

    permissions:
        id-token: write
        contents: read
    
    steps:
        - name: Checkout Code
          uses: actions/checkout@v3

        - name: Configure AWS Credentials via OIDC
          uses: aws-actions/configure-aws-credentials@v4
          with:
            role-to-assume: arn:aws:iam::<account>:role/<role_name>
            aws-region: <region>
        
        - name: Validate AWS Credentials
          run: aws sts get-caller-identity

        - name: Manual Login to Amazon ECR
          run: |
            export DOCKER_CONFIG=/github/home/.docker/config.json
            aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <account>.dkr.ecr.<region>.amazonaws.com

I run the above code and confirm that my credentials are valid. I then attempt to do a manual ecr private registry login and it fails though it doesn't seem to be because of IAM permissions, instead I see the error:

Error saving credentials: mkdir /github: permission denied

I tried to manually set a docker config env variable to try to get it to stop writing to this random /github directory that doesn't exist and shouldn't be used, but nothing seems to change the outcome.

I did docker info and it output the path of the config file as /github/home/.docker/config.json so i know docker is working, and for testing, I have my OICD github actions IAM Role with "ecr:*" level permissions so it shouldn't be a permissions issue.

Any idea on why github actions keeps trying to write to this directory? It also happens if I use the https://github.com/aws-actions/amazon-ecr-login action.

Solution

  • The error occurs because the GitHub-hosted runner has restrictions on modifying or creating directories in certain parts of the filesystem. Specifically, /github is not writable or modifiable. The problem stems from the default value of the DOCKER_CONFIG environment variable pointing to /github/home/.docker.

    So, to solve this out you need to Use a temporary writable directory for the Docker config, instead of relying on /github/home/.docker; set DOCKER_CONFIG to a writable path, such as /tmp/.docker:

        - name: Manual Login to Amazon ECR
      env:
        DOCKER_CONFIG: /tmp/.docker
      run: |
        aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <account>.dkr.ecr.<region>.amazonaws.com