Role arn not read from profile in config when using config file with `web_identity_token_file`

[imcdo]

Describe the bug

When using amazon-ecr-credential-helper to pull from ECR, it fails to pull credentials from the default profile with the following stack trace:

Unable to find image '<account>.dkr.ecr.us-west-2.amazonaws.com/<image>' locally 37:21
panic: role ARN is not set 37:21
goroutine 1 [running]: 37:21
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api.DefaultClientFactory.NewClientFromRegion({}, {0xc00002bf9d?, 0x0?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/ecr-login@v0.0.0-20240116161626-88cfadc80e8f/api/factory.go:84 +0x190 37:21
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login.ECRHelper.Get({{0x8aa120?, 0xb28ba0?}, 0xaf2cc0?}, {0xc000028f30, 0x2c}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/ecr-login@v0.0.0-20240116161626-88cfadc80e8f/ecr.go:101 +0x113 37:21
 github.com/docker/docker-credential-helpers/credentials.Get({0x8a9d30, 0xc000012108}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0, 0xc00005e030}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/docker-credential-helpers@v0.8.1/credentials/credentials.go:154 +0x1fa 37:21
 github.com/docker/docker-credential-helpers/credentials.HandleCommand({0x8a9d30?, 0xc000012108?}, {0x7ffc942bad3e, 0x3}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0?, 0xc00005e030?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/docker-credential-helpers@v0.8.1/credentials/credentials.go:96 +0x97 37:21
 github.com/docker/docker-credential-helpers/credentials.Serve({0x8a9d30, 0xc000012108}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/docker-credential-helpers@v0.8.1/credentials/credentials.go:80 +0x325 37:21
 main.main() 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/ecr-login@v0.0.0-20240116161626-88cfadc80e8f/cli/docker-credential-ecr-login/main.go:52 +0x154 37:21
 docker: Error response from daemon: Head "https://<accoun>.dkr.ecr.us-west-2.amazonaws.com/v2/<image>": no basic auth credentials.

The default profile in the ~/.aws/config file is simply:

[profile default]
role_arn = arn:aws:iam::<account>:role/<role-name>
web_identity_token_file=<absolute path to existing token>

the panic originally coming from this projects call here.

eventually throwing the error here

Expected Behavior

It reads the default profile as it was not specified in the environment variables, and reads the role name specified there.

Current Behavior

It fails to find the specified role name even though it is specified in the config.

Reproduction Steps

1. create a .aws/config file that has a default profile that assumes a role via a web_identity_token_file
2. configure docker to use amazon-ecr-credential-helper
3. attempt to pull an image

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

v1.26.3 for config

https://github.com/awslabs/amazon-ecr-credential-helper/blob/88cfadc80e8fe02f840937a6f9a638991f9e54f8/ecr-login/go.mod#L5-L15

Compiler and Version used

Operating System and version

Ubuntu 20.04

[RanVaknin]

Hi @imcdo ,

amazon-ecr-credential-helper Is not a product that the SDK team supports, therefore I cannot advise you on this particular problem.

I suggest you create this issue on their repo.

Thanks again,
Ran~

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[imcdo]

@RanVaknin I understand that, however its the usage of this sdk that seems to be broken, not their product.

[RanVaknin]

Based on the line of code you said its throwing in, it seems like the SDK is not provided with the correct role to obtain credentials.

I'm not familiar with this tool, therefore I suggest we wait to hear back from the ECR team about this. Perhaps they will be able to shed some light on the matter.

Thanks,
Ran~