1

Objective: to login to ECR every morning on my Mac.
I've got a cron job as follow (crontab -e, user: rad):

30 8 * * * /usr/local/bin/aws ecr get-login-password --region eu-central-1 | /usr/local/bin/docker login --username AWS --password-stdin 123456789012.dkr.ecr.eu-central-1.amazonaws.com

But I get the following error (in my mail):

rom rad@mac.localdomain  Sun Dec 13 00:00:00 2020
X-Original-To: rad
Delivered-To: rad@mac.localdomain
From: rad@mac.localdomain (Cron Daemon)
To: rad@mac.localdomain
Subject: Cron <rad@mac> /usr/local/bin/aws ecr get-login-password --region eu-central-1 | /usr/local/bin/docker login --username AWS --password-stdin 123456789012.dkr.ecr.eu-central-1.amazonaws.com
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=rad>
X-Cron-Env: <USER=rad>
Date: Sun, 13 Dec 2020 00:00:00 +0000

Error saving credentials: error storing credentials - err: exit status 1, out: `Write permissions error.`

I also added --config ~/.docker (and --config /User/rad/.docker) to docker command, but it didn't help. For the record the command works just fine when I run it in my terminal. The permissions of my ~/.docker directory are:

ll -d ~/.docker
drwxr-xr-x  11 rad  staff   352B Dec 13 11:15 /Users/rad/.docker

There's this similar question, but it didn't help.

ANSWER (credit goes to @BMitch): No need to setup a cron job. Just add the following to ~/.docker/config.json (if you don't have Docker for Desktop, install the helper first.):

{
    "credHelpers": {
        "123456789012.dkr.ecr.eu-central-1.amazonaws.com": "ecr-login"
    }
}
Rad
  • 4,292
  • 8
  • 33
  • 71

1 Answers1

1

Looks like this error message comes from the credentials store. On Mac, it's trying to use osxkeychain, failing to do that from cron (which is probably a good thing for security), and failing the script. Two options I can think of:

  1. Attempt to disable osxkeychain for docker credentials. You may be able to set "credsStore": "" (to an empty string) in the .docker/config.json. However many who tried this ended up with docker resetting the value to the default, which makes sense since the empty string is the same as not being unset in Go.

  2. Another method to disable osxkeychain by within, OSX KeyChain itself. Uncheck the setting allowing it to store docker credentials and docker should fall back to the tradition base64 encoded string in the .docker/config.json. Neither of these are ideal for security.

  3. Probably the best option is to try Amazon's ECR Credential Helper, which should eliminate the need to solve this with a cron script, and no more need to disable docker from using the default credential store.

[Previous suggestion]

Make sure to set your HOME environment variable since this could be used to determine where to store the .docker/config.json file. Some versions of cron allow that at the top of the file:

HOME=/home/rad
30 8 * * * /usr/local/bin/aws ecr get-login-password --region eu-central-1 | /usr/local/bin/docker login --username AWS --password-stdin 123456789012.dkr.ecr.eu-central-1.amazonaws.com

But many cron implementations need this set in the command you run:

30 8 * * * export HOME=/home/rad; /usr/local/bin/aws ecr get-login-password --region eu-central-1 | /usr/local/bin/docker login --username AWS --password-stdin 123456789012.dkr.ecr.eu-central-1.amazonaws.com
BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Thanks for the answer but it didn't help. I've got another email similar to the previous ones with one more `X-Cron-Env: `: – Rad Dec 13 '20 at 11:06
  • @rad Give the ECR credential helper a try. And if that fails, you may need to find a way to disable docker's use of a credential store on OSX, which appears to be non-trivial. – BMitch Dec 13 '20 at 11:53
  • 1
    Thanks. I went with the helper. Interestingly it's already installed (I guess with Docker for Desktop). – Rad Dec 13 '20 at 12:21