K
Q

How do I push helm charts to Amazon ECR

2/11/2020

I have a helm chart that I want to push to ECR but I keep hitting 401 Unauthorized.

$ helm chart list
REF                                         NAME                    VERSION     DIGEST  SIZE        CREATED 
myecr.us-east-2.amazonaws.com/hello-world   hello-world             1.0.0+1     6c7c951 135.3 KiB   23 hours

$ helm chart push myecr.us-east-2.amazonaws.com/hello-world:1.0.0
The push refers to repository [1myecr.us-east-2.amazonaws.com/helloworld]
ref:     myecr.us-east-2.amazonaws.com/hello-world:1.0.0
digest:  6c7c9512d309b04816afd17dcdaaa64d0492550d8e290155973ddab125815da7
size:    135.3 KiB
name:    hello-world
version: 1.0.0+1
Error: unexpected response: 401 Unauthorized

I also tried authenticating the ECR with helm with helm registry login myecr.us-east-2.amazonaws.com but the credentials that I got from aws sts get-caller-identity does not work.

$ aws sts get-caller-identity
{
    "UserId": "<USERID>",
    "Account": "<Account>",
    "Arn": "arn:aws:iam::<Account>:user/foo"
}

$ helm registry login myecr.us-east-2.amazonaws.com
Username: <USERID>
Password: 
Error: login attempt to https://myecr.us-east-2.amazonaws.com/v2/ failed with status: 401 Unauthorized

My helm version is v3.0.2. Does helm not support ECR as a registry for charts?

-- mandopaloooza
amazon-ecr
kubernetes-helm
oci

Similar Questions

Is there an API call that can be used to check the health of the Here API?
Container logs not working after cluster update on GKE
Is there support to find & replace templatekey in file as part of Helm Deploy?
spark-submit on kubernetes cluster

2 Answers

2/11/2020

Check if you are logged in with helm

Use helm registry login command to login to registry by passing registry address with port(if port is not default)

Login to registry using helm command

$ helm registry login -u myuser registrydomain:5000
Password:
Login succeeded

Logout

$ helm registry logout registrydomain:5000
Logout succeeded

Official Documentation: https://helm.sh/docs/topics/registries/#the-registry-subcommand

-- neotam
Source: StackOverflow
2/11/2020

I found the answer so I'm answering my own question.

To authenticate helm with ECR, run:

TOKEN=`aws ecr get-login --region ${REGION} --registry-ids ${ACCOUNT} | cut -d' ' -f6`

helm registry login myecr.us-east-2.amazonaws.com
Username: AWS
Password: $TOKEN

The above will authenticate helm with ECR, however, looks like ECR doesn't support ORAS (OCI Registry As Storage). In other words, you cannot push helm charts to it just yet.

$ helm chart push myecr.us-east-2.amazonaws.com/hello-world:1.0.0
The push refers to repository [myecr.us-east-2.amazonaws.com/hello-world]
ref:     myecr.us-east-2.amazonaws.com/hello-world:2.0.0
digest:  6c7c9512d309b04816afd17dcdaaa64d0492550d8e290155973ddab125815da7
size:    135.3 KiB
name:    hello-world
version: 1.0.0+1
Error: failed commit on ref "manifest-sha256:262e1e34f4762606ec011c776944636c003969a2cfb289776fa0f7c26883f7ad": unexpected status: 405 Method Not Allowed

The issue is tracked here: https://github.com/aws/containers-roadmap/issues/308

-- mandopaloooza
Source: StackOverflow