#private AWS ECR pull

I'm attempting to use dagger on macos to build a image From a private ecr image. I can retrieve/pass in an ECR token that is valid for the repository (pulling from the host works fine). Dagger seems to be able to get the image configuration just fine, but is getting a 401 Unauthorized when attempting to pull the indiviual blobs.

50: sha256:7dc2c32e8b1175fd5fdf1397e43a37fd50d64275d9c714e4289e3cbf59c81294 0B / 45.52KiB 
50: sha256:7608715873ec5c02d370e963aa9b19a149023ce218887221d93fe671b3abbf58 0B / 27.25MiB 
50: sha256:1ea5a1d10607631ee82046c1f804fb5269e1a9cb18a318e28b96d1c2f68c1729 0B / 3.646MiB 
50: sha256:cdb356d3586ce72236919b4962920eddf3955410f4f6ef6706d3181d90940c36 0B / 2.768MiB 
50: sha256:351a3971d2f01c33e1b7c9f55471705dcccf0c16a2a87f0a7cf5ec69150e8ed7 0B / 4.489KiB 
50: sha256:8bdde3405477d6d93b4071b74a03ff1c5872622a5292fe3377fc0dc6e1c1b492 0B / 7.215MiB 
50: sha256:eeec445c3e5a1c598a4ca3339c3f540f2dc5aba17f669a80eabf2eccc5f0bfae 0B / 160.4MiB 
50: pull my-account.dkr.ecr.us-east-1.amazonaws.com/my-image:tag DONE
2023/11/27 20:23:07 ERROR Failed to run dagger build !BADKEY="input:1: container.withRegistryAuth.from.export failed to export: failed to copy: httpReadSeeker: failed open: unexpected status code https://my-account.dkr.ecr.us-east-1.amazonaws.com/v2/my-image/blobs/sha256:7dc2c32e8b1175fd5fdf1397e43a37fd50d64275d9c714e4289e3cbf59c81294: 401 Unauthorized\n"

Thanks in advance for any help!

@hybrid garnet one common approach is to run docker login before running Dagger.

👋 have you checked https://docs.dagger.io/faq/#how-do-i-log-in-to-a-container-registry-using-a-dagger-sdk

there's also an example with dockerhub here: https://docs.dagger.io/723462/use-secrets/#use-secrets-with-dagger-sdk-methods

If I run docker logout <MY AWS ACCT ID>.dkr.ecr.us-east-2.amazonaws.com
and try to run Dagger to pull the private image
I get 401 Unauthorized

So I just login according to AWS docs:

aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin <MY AWS ACCT ID>.dkr.ecr.us-east-2.amazonaws.com

Then I'm good to go!

So, I've done this. I've logged in on both the macos host and in the underlying VM. In both cases I can manually pull the image. Dagger seems to be able to resolve that the image exists, but fails when trying to actually download the layers.

I've also tried with WithRegistryAuth using both a passed through token and the AWS sdk.

Would you like to chat briefly over in #911305510882513037 to see if we can figure it out?

Thanks for the offer! Didn't have time today, but did put together a mvp with the go sdk (attached). A few other notes:

• same issue with both the go and python sdks
• same behavior occurs on my Fedora machine (originally on M2 Mac)
• can docker pull and docker image ls the image using dagger run sh -c 'docker ...'

Thanks! I'll try to reproduce 👍

Is there are way for me to get an equiv image to python-java:3.9?

Using this Dockerfile for fun

FROM python:3.9

ENV JAVA_HOME=/opt/java/openjdk
COPY --from=eclipse-temurin:17-jre $JAVA_HOME $JAVA_HOME
ENV PATH="${JAVA_HOME}/bin:${PATH}"

RUN pip install --trusted-host pypi.python.org flask

Didn't have any issues 🤔