Getting "InvalidSignatureException" when trying to run "aws ecr-get-login-password" command in Azure DevOps pipeline shell

Question

I want to build and deploy Docker images from Azure DevOps to AWS ECR.

I followed this tutorial - https://www.devguides.dev/how-to-build-and-deploy-docker-images-from-azure-devops-to-aws-ecr/

I keep getting the following error: An error occurred (InvalidSignatureException) when calling the GetAuthorizationToken operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

I have manually checked the and ran the "aws ecr-get-login-password" command locally using the same AWS access key and secret and it does return a temp password so I know that the permissions and keys are correct.

I verified that I set the variables correctly and that they are read by having them printed out for me to view in the Azure bash shell - they were correct.

Any suggestions?

Do I need to provide AWS log in info somewhere else in Azure?

Below is the pipeline build yaml :

trigger:
  branches:
    include:
    - build-and-push-azure-to-aws

pool:
  vmImage: 'ubuntu-latest'

variables:
  - group: dev
  - name: DOCKER_REPOSITORY
    value: $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/$(DOCKER_REPOSITORY_NAME)

steps:
- script: |
    aws ecr get-login-password --region $(AWS_REGION) | docker login --username AWS --password-stdin $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com
  displayName: 'Login to AWS'
  env:
    AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
    AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)

- task: Docker@2
  displayName: Build docker image
  inputs:
    repository: $(DOCKER_REPOSITORY)
    command: buildAndPush
    Dockerfile: Dockerfile
    tags: |
      latest

Here is the error I get :

==============================================================================
Task         : Command line
Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
Version      : 2.164.2
Author       : Microsoft Corporation
Help         : https://learn.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
==============================================================================
Generating script.
========================== Starting Command Output ===========================
/bin/bash --noprofile --norc /home/vsts/work/_temp/043d91c2-1246-45f3-909b-6594561cfbf1.sh

An error occurred (InvalidSignatureException) when calling the GetAuthorizationToken operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Answer 1

If you want to build and deploy Docker images from Azure DevOps to AWS ECR, you could create the service connection with AWS with a set of your valid AWS credentials. You can follow this doc AWS Toolkit for Azure DevOps to get more details of setting up this service connection.

And then use Amazon ECR Push task to push a Docker image to an Amazon Elastic Container Registry on AWS.

You may check the blog below to get more details:

https://aws.amazon.com/blogs/devops/deploying-a-asp-net-core-web-application-to-amazon-ecs-using-an-azure-devops-pipeline/