嘗試在 Azure DevOps 管道 shell 中運行“aws ecr-get-login-password”命令時出現“InvalidSignatureException”

Question

我想從 Azure DevOps 構建 Docker 映像並將其部署到 AWS ECR。

我按照本教程進行操作 - https://www.devguides.dev/how-to-build-and-deploy-docker-images-from-azure-devops-to-aws-ecr/

我不斷收到以下錯誤： An error occurred (InvalidSignatureException) when calling the GetAuthorizationToken operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. An error occurred (InvalidSignatureException) when calling the GetAuthorizationToken operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

我已經手動檢查並使用相同的 AWS 訪問密鑰和密鑰在本地運行了“aws ecr-get-login-password”命令，它確實返回了一個臨時密碼，所以我知道權限和密鑰是正確的。

我驗證了我正確設置了變量，並且通過將它們打印出來供我在 Azure bash shell 中查看來讀取它們 - 它們是正確的。

有什么建議么？

我是否需要在 Azure 的其他地方提供 AWS 登錄信息？

下面是管道構建 yaml：

trigger:
  branches:
    include:
    - build-and-push-azure-to-aws

pool:
  vmImage: 'ubuntu-latest'

variables:
  - group: dev
  - name: DOCKER_REPOSITORY
    value: $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(DOCKER_REPOSITORY_NAME)

steps:
- script: |
    aws ecr get-login-password --region $(AWS_REGION) | docker login --username AWS --password-stdin $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com
  displayName: 'Login to AWS'
  env:
    AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
    AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)

- task: Docker@2
  displayName: Build docker image
  inputs:
    repository: $(DOCKER_REPOSITORY)
    command: buildAndPush
    Dockerfile: Dockerfile
    tags: |
      latest

這是我得到的錯誤：

==============================================================================
Task         : Command line
Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
Version      : 2.164.2
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/bin/bash --noprofile --norc /home/vsts/work/_temp/043d91c2-1246-45f3-909b-6594561cfbf1.sh

An error occurred (InvalidSignatureException) when calling the GetAuthorizationToken operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Answer 1

如果您想從 Azure DevOps 構建 Docker 映像並將其部署到 AWS ECR，您可以使用一組有效的 AWS 憑證創建與 AWS 的服務連接。 您可以關注此文檔AWS Toolkit for Azure DevOps以獲取有關設置此服務連接的更多詳細信息。

然后使用Amazon ECR Push任務將 Docker 映像推送到 AWS 上的 Amazon Elastic Container Registry。

您可以查看下面的博客以獲取更多詳細信息：

https://aws.amazon.com/blogs/devops/deploying-a-asp-net-core-web-application-to-amazon-ecs-using-an-azure-devops-pipeline/

Answer 2

1. 您可以重新檢查密鑰
2. 檢查系統日期時間和 AWS 實例日期時間。 后者在我的情況下是錯誤的，請參閱此鏈接https://www.learnitguide.net/2018/04/aws-cli-authfailure-access-credentials.html