How do I resolve permissions issues with building containers in ECS Deploy Runner?
I am getting the following error when trying to run build scripts for building containers: ``` [ecs-deploy-runner][2022-02-23T18:50:04+0000] [] time="2022-02-23T18:50:04Z" level=info msg="Running command: /kaniko /executor --force --context-sub-path modules/ecs-deploy-runner/docker/deploy-runner --destination xxxx.dkr.ecr.us- west-2.amazonaws.com/ecs-deploy-runner:v0.38.1 --context git://github.com/gruntwork-io/terraform-aws-ci.git --git branch=v0.38.1 --build-arg GITHUB_OAUTH_TOKEN" [ecs-deploy-runner][2022-02-23T18:50:06+0000] Error: error resolving source context: authentication required ```
This authentication failure is from an attempt to access the `gruntwork-io/terraform-aws-ci` github repo in the container. The authentication is handled using the token configured on the ECS Deploy Runner, via the `docker_image_builder_config.git_config` input variable. So I would double check: - Is the token configured on the `ecs-deploy-runner` module? - Is the token stored in Secrets Manager still valid? - Is the associated machine user of the token in your subscription? - Has the associated machine user accepted the invite for the gruntwork-io org? Note that the most common error is when using alternative VCS systems (e.g., not GitHub but GitLab) while the ECS Deploy Runner authentication is configured for that VCS. In this scenario, the docker image builder only supports building images from GitLab and not GitHub. As of this writing (Feb 23, 2022), `ecs-deploy-runner` doesn’t support a single docker image builder container with multiple secrets. However, we have an [issue to add support](https://github.com/gruntwork-io/terraform-aws-ci/issues/394) for multiple secrets in a single docker image builder container. Until then, to workaround this, you could do one of the following: - Swap out the secrets for the docker image builder to be calibrated to GitHub. This would only work if you don’t intend on using the `ecs-deploy-runner` to build docker images in your repos. - Deploy a new ECS deploy runner dedicated to building docker images from Gruntwork. This can be done by copying and pasting the config for `ecs-deploy-runner`, but setting `ami_builder_config`, `terraform_planner_config`, and `terraform_applier_config` config to `null`. This way only `docker_image_builder_config` is configured. - Note that you will want to use a different name, which will produce a different lambda function identifier. You can then select this particular `ecs-deploy-runner` from the `infrastructure-deployer` command line by passing in the `--invoker-function-id` flag. This can be done in the `build_*.sh` script.