Bitbucket Pipelines Error "Unauthorised for ECR"
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
Bitbucket pipelines may sometimes fail to start with the error "Unauthorised for ECR" while using AWS ECR private docker image as the main pipeline docker image.
Diagnosis
Run a sample pipeline on the default Atlassian docker image, pipeline step with docker image as atlassian/pipelines-awscli, followed by the script commands to configure and pull docker images with Access keys ${AWS_ACCESS_KEY_ID}, ${AWS_SECRET_ACCESS_KEY} to check if the issue is reproducible.
1
2
3
4
5
6
7
8
9
10
11
pipelines:
default:
- step:
services:
- docker
image: atlassian/pipelines-awscli
script:
- aws configure set aws_access_key_id "${AWS_ACCESS_KEY_ID}"
- aws configure set aws_secret_access_key "${AWS_SECRET_ACCESS_KEY}"
- aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.us-west-2.amazonaws.com
- docker pull aws_account_id.dkr.ecr.us-west-2.amazonaws.com/amazonlinux:latestCause
This error is due to the incorrect access key id or secret access keyssupplied for docker ECR image pull/push operations.
Solution
Below are the possible solutions -
The order of precedence for Pipelines variables is as follows: Deployment > Repository > Workspace > Default variables. Hence, Pipelines always refer to the variable values from Deployment, Repository, Workspace, and finally from Default variables.
Sometimes the access key variables will not be present in the deployment and repository variables. The pipeline might be referring to the access keys defined as workspace variables, which may not have the correct permissions to perform ECR docker pull/push operations.
Also, there are chances that incorrect access keys are placed as deployment variables.
Delete the incorrect keys, add correct access keys as deployment or repository variables, and rerun the pipeline to check if docker images are pulled from AWS ECR.
Was this helpful?