Error when building Docker image on Alpine using aws-ecr orb

fatmcgav · May 30, 2024, 3:47pm

Hey there

I’m currently trying to update some of our existing CircleCI build pipelines to use AWS OIDC authentication in order to remove some static AWS credentials.

This is working great for our Helm deployments, however I’m having some issues getting our Docker image build jobs updated.

The current error I’m getting when trying to use the aws-ecr/build-image command is:

/bin/sh: syntax error: unexpected redirection

Exited with code exit status 2

The current config looks like this. I’ve pulled out anything not relevant and redacted a few bits as required:

version: 2.1

commands:
  auth-aws-oidc:
    description: Authenticate against AWS using OIDC and assume target role
    parameters:
      app-env:
        type: string
      region:
        type: string
      oidc-role:
        type: string
      target-role:
        type: string
    steps:
      - get-target-aws-account-id:
          app-env: << parameters.app-env >>
      - aws-cli/setup:
          region: << parameters.region >>
          role_arn: "arn:aws:iam::*****:role/circleci_<< parameters.oidc-role >>"
          role_session_name: "CircleCI-${CIRCLE_WORKFLOW_ID}-${CIRCLE_JOB}"
          profile_name: oidc
      - aws-cli/role_arn_setup:
          role_arn: "arn:aws:iam::${TARGET_AWS_ACCOUNT_ID}:role/<< parameters.target-role >>"
          profile_name: default
          source_profile: oidc
  get-target-aws-account-id:
    description: Get target AWS Account ID
    parameters:
      app-env:
        type: string
    steps:
      - run:
          name: Get Target AWS Account ID
          command: |
            export ENV_NAME=<< parameters.app-env >>
            account_id_env="${ENV_NAME}_AWS_ACCOUNT_ID"
            echo "Looking for ${account_id_env} env"
            aws_account_id=$(eval echo \$${account_id_env})
            if [ -z "${aws_account_id}" ]; then
              echo "Didn't find a matching AWS_ACCOUNT_ID env"
              exit 1
            else
              echo "Found a valid AWS Account ID"
              echo "export TARGET_AWS_ACCOUNT_ID='$aws_account_id'" >> "$BASH_ENV"
            fi
  title-case-app-env:
    description: Convert the uppercase app-env value to Title case
    parameters:
      app-env:
        type: string
    steps:
      - run:
          name: Title case app-env
          command: |
            tcase=$(echo "<< parameters.app-env >>" | awk '{print toupper(substr($0,0,1))tolower(substr($0,2))}')
            echo "export APP_ENV_TCASE='$tcase'" >> "$BASH_ENV"


jobs:
  ...snipped...
  build-docker:
    parameters:
      app-env:
        type: string
        default: DEV
      provider:
        type: string
        default: value
      region:
        type: string
        default: eu-west-2
    docker:
      # Latest alpine's version 3.20 has excluded aws-cli due to incompatibility issues with Python 3.12
      # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.20.0#aws-cli
      - image: docker:26.1.3-alpine3.19
    working_directory: ~/repo
    resource_class: large
    shell: /bin/sh -leo pipefail
    environment:
      BASH_ENV: /etc/profile
    steps:
      - checkout
      - title-case-app-env:
          app-env: << parameters.app-env >>
      - run:
          name: Setup env
          command: |
            apk add git
            export ENV_NAME=<< parameters.app-env >>
            export PROVIDER=<< parameters.provider >>
            source ./bundle/scripts/set-environment.sh
            echo "Sourced env"
            for var in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SECURITY_TOKEN ; do eval unset $var ; done
            git rev-parse --short HEAD | tr -d '\r\n' > .version
            echo "Version = $(cat .version)"
            tag=$(echo $CIRCLE_SHA1 | cut -c -7)-$(echo $CIRCLE_WORKFLOW_ID)
            echo "Tag = ${tag}"
            echo "export DOCKER_TAG='$tag'" >> "$BASH_ENV"
      - setup_remote_docker:
          version: docker24
      - auth-aws-oidc:
          app-env: << parameters.app-env >>
          region: << parameters.region >>
          oidc-role: "ECRPublisher${APP_ENV_TCASE}"
          target-role: "CircleCIECRPublisher"
      - aws-ecr/ecr_login:
          account_id: $TARGET_AWS_ACCOUNT_ID
          region: << parameters.region >>
      - aws-ecr/build_image:
          account_id: $TARGET_AWS_ACCOUNT_ID
          dockerfile: Dockerfile.backend
          # extra_build_args: >-
          #   --build-arg PO_EDITOR_API_KEY="${PO_EDITOR_API_KEY}"
          #   --build-arg PO_EDITOR_FE_PROJECT_ID="${PO_EDITOR_FE_PROJECT_ID}"
          #   --build-arg PO_EDITOR_FE_BROKER_PROJECT_ID="${PO_EDITOR_FE_BROKER_PROJECT_ID}"
          #   --build-arg PO_EDITOR_BE_PROJECT_ID="${PO_EDITOR_BE_PROJECT_ID}"
          #   --build-arg PO_EDITOR_SKIP_PULL_TERM="${PO_EDITOR_SKIP_PULL_TERM}"
          platform: linux/amd64
          push_image: true
          region: << parameters.region >>
          repo: private-repo
          tag: $DOCKER_TAG

Any suggestions on what could be wrong?

I’ve looked through the issues on the aws-ecr orb GH repo to no avail.

Thanks
Gavin

aaronclark · May 31, 2024, 12:27am

Hi @fatmcgav,

Could you confirm if the image you are using for your job has bash installed?
If it is indeed an Alpine image, it most likely does not have it installed by default, and this can cause the error you are seeing.

fatmcgav · May 31, 2024, 8:35am

Hey @aaronclark

Thanks for the suggestion… I’ve tried adding an apk install bash to my Setup env step this morning, however I still get the same result…

Any other suggestions?

Thanks

fatmcgav · May 31, 2024, 8:43am

OK, after a bit more experimentation around using /bin/bash, it looks like I’ve managed to get a working solution.

Diff below, but essentially changed the default shell value to /bin/bash, and then ran the apk add bash as the first step with shell: /bin/sh…

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 4dcfe47423..4794d26b6e 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -352,17 +352,21 @@ jobs:
       - image: docker:26.1.3-alpine3.19
     working_directory: ~/repo
     resource_class: large
-    shell: /bin/sh -leo pipefail
+    shell: /bin/bash -leo pipefail
     environment:
       BASH_ENV: /etc/profile
     steps:
       - checkout
+      - run:
+          name: Install bash
+          command: apk add --no-cache bash
+          shell: /bin/sh -leo pipefail
       - title-case-app-env:
           app-env: << parameters.app-env >>
       - run:
           name: Setup env
           command: |
-            apk add git
+            apk add --no-cache git
             export ENV_NAME=<< parameters.app-env >>
             export PROVIDER=<< parameters.provider >>
             source ./bundle/scripts/set-environment.sh

system · June 7, 2024, 8:44am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Docker AWS ECR auth with oidc role doesn't seem to be working Build Environment ecr , docker , auth	6	970	October 9, 2024
Using OIDC with AWS and aws orbs Build Environment aws , orbs	6	1949	June 7, 2023
Deploy docker image from ECR to EC2 instance Build Environment docker , circle-yml	1	2833	December 21, 2020
Pushing to AWS ECR repo using ecr orb 8.1.2 Deployments ecr , docker , aws , circle-yml	0	1359	July 28, 2022
Repository name component must match "[a-z0-9](?:-[a-z0-9])(?:[._][a-z0-9](?:-[a-z0-9]))*" Integrations and Accounts docker , circle-yml	4	2424	June 18, 2018

Error when building Docker image on Alpine using aws-ecr orb

Related Topics