AWS ECR Get login command - No such file or directory via ansible

Question

I have an ansible task as such

- name: Login to AWS
   command: $(aws ecr get-login --no-include-email --region us-east-2)

On running this I get the output

FAILED: => {"changed", false: "cmd", "'^$(aws' ecr get-login --no-include-email --region 'us-east-2)'": "msg", "[Errno 2] No such file or directory": "rc": 2}

What is the reason? I believe this command should run fine

Answer 1

The $(command) construction you are using is “command substitution”. The shell runs the command, captures its output, and inserts that into the command line that contains the $(…). It is intended to be used from a shell command line to login to the ECS service.

Ansible is does not launch the command in shell mode. and cannot support shell command substitution in that context, and reports file not found as a result.

From https://docs.ansible.com/ansible/2.5/modules/command_module.html

The given command will be executed on all selected nodes. It will not be processed through the shell, so variables like $HOME and operations like "<", ">", "|", ";"and "&" will not work (use the shell module if you need these features).

Instead, you could create a shell script that does the ECS login, and the process you need to run after you login. Then call that script from the command parameter.

Please note, the documentation above does refer to a shell module that can be used. You should use that module if you need this type of command substitution.

Answer 2

There are several issues on the ansible issue tracker, and they all point to amazon-ecr-credential-helper as the solution.

Basically, you install the package via your normal package manager (eg apt install amazon-ecr-credential-helper for debian-based systems) and add configuration to the docker engine through credential helpers . This is usually put into the ~/.docker/config.json file. For this to work you have to have created/configured some means for the machine to authenticate with AWS. I personally use EC2 instance roles for this, but you can also use credentials, environment variables or something else that AWS provides for.

example ~/.docker/config.json :

{
    "credHelpers": {
        "<ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com": "ecr-login"
    }
}

Ansible directives to get there:

---
- name: Install docker.io + helper script for ecr
  apt:
    name: "{{ item }}"
    state: latest
  loop:
    - docker.io
    - amazon-ecr-credential-helper

- name: Creates directory
  file:
    path: /home/ubuntu/.docker/
    state: directory

- name: add ECR configuration to docker repositories
  copy: src=config.json dest=/home/ubuntu/.docker/config.json

Answer 3

rc is the return (exit) code, '2' in your case, of the command aws ecr get-login --no-include-email --region us-east-2

Below listed points may help to troubleshoot -

1. Verify if aws cli is installed correctly, using aws --version command.

2. As per the documentation , get-login command is available in the AWS CLI starting with version 1.9.15; while version 1.11.91 is recommended. Try updating the aws version -

   pip install awscli --upgrade --user