Unsupported status code 401 when pushing to AWS ECR

I’m pushing a docker image from GitLab to Amazon ECR with this configuration:

kaniko-build-docker:
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  stage: build
  variables:
    REGISTRY: $CI_AWS_REGISTRY_IMG
  before_script:
    - ls -la
  only:
    - master
  script:
    # see https://github.com/GoogleContainerTools/kaniko/issues/1227
    - mkdir -p /kaniko/.docker
    - echo "{\"credsStore\":\"ecr-login\"}" > /kaniko/.docker/config.json
    - /kaniko/executor --cache=true --context $CI_PROJECT_DIR --dockerfile ${CI_PROJECT_DIR}/src/main/docker/Dockerfile.jvm --destination $REGISTRY:$CI_COMMIT_SHORT_SHA --destination $REGISTRY:latest

It does not work and I got this error:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "737049778887.dkr.ecr.ap-northeast-1.amazonaws.com/siventh-sustainability-simulation-backend:309b8ca0": POST https://737049778887.dkr.ecr.ap-northeast-1.amazonaws.com/v2/siventh-sustainability-simulation-backend/blobs/uploads/: unsupported status code 401; body: Not Authorized

[46](https://gitlab.com/SIVENTH/sustainability-simulation-backend/-/jobs/687692471#L46)ERROR: Job failed: exit code 1

But what’s weird is that the same project works on another GitLab account. I already tried creating a new project in the old account but still got the same issue. Note, I’m using multiple remote repositories so it’s really the SAME project. And yes, I have setup the AWS_XXX variables on all the projects.

Are you sure the credentials are correctly set? Maybe you set them as protected and the branch you are running the pipeline is not protected?

Or maybe you are trying to push the same commit again the over ECR you have immutable tags? (But I’d suppose the error would be different)

Once again, @rpadovani thanks for pointing me in the right direction.

The problem was caused by the branch I’m currently working on that is not on the protected list.

Honestly, there should be documentation about this.

I awe you 2 mugs now :slight_smile:

Cheers.

1 Like