starred/act

Fork 0

mirror of https://github.com/nektos/act.git synced 2026-04-26 01:15:51 +03:00

[GH-ISSUE #119] Login to AWS ECR fails #79

New issue

Closed

opened 2026-03-01 21:39:55 +03:00 by kerem · 6 comments

kerem commented

2026-03-01 21:39:55 +03:00

Owner

Originally created by @mj3c on GitHub (Mar 3, 2020).
Original GitHub issue: https://github.com/nektos/act/issues/119

I am trying to execute the GitHub action to push a Docker image to AWS ECR, specifically this one. However, even after supplying the access key, secret key and region, this is the output:

[...] Run Login to Amazon ECR
[...] ☁  git clone 'https://github.com/aws-actions/amazon-ecr-login' # ref=v1
[...] 🐳  docker cp src=/home/milosjajac/.cache/act/aws-actions-amazon-ecr-login@v1 dst=/actions/
[...] ⚙  ::set-output:: registry=072822818685.dkr.ecr.eu-central-1.amazonaws.com
[...] ❗  ::error::Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable.
[...] ❌  Failure - Login to Amazon ECR

Here is a job definition in order to reproduce this:

    steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: eu-central-1

    - name: Login to Amazon ECR
      id: login_ecr
      uses: aws-actions/amazon-ecr-login@v1

There is a docker login in the index.js of that action, I guess that is where it fails, but how can I make this pass? Am I doing something wrong or would this be a feature request?

Originally created by @mj3c on GitHub (Mar 3, 2020). Original GitHub issue: https://github.com/nektos/act/issues/119 I am trying to execute the GitHub action to push a Docker image to AWS ECR, specifically [this one](https://github.com/aws-actions/amazon-ecr-login). However, even after supplying the access key, secret key and region, this is the output: ```shell [...] Run Login to Amazon ECR [...] ☁ git clone 'https://github.com/aws-actions/amazon-ecr-login' # ref=v1 [...] 🐳 docker cp src=/home/milosjajac/.cache/act/aws-actions-amazon-ecr-login@v1 dst=/actions/ [...] ⚙ ::set-output:: registry=072822818685.dkr.ecr.eu-central-1.amazonaws.com [...] ❗ ::error::Unable to locate executable file: docker. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also check the file mode to verify the file is executable. [...] ❌ Failure - Login to Amazon ECR ``` Here is a job definition in order to reproduce this: ```yaml steps: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: eu-central-1 - name: Login to Amazon ECR id: login_ecr uses: aws-actions/amazon-ecr-login@v1 ``` There is a `docker login` in the `index.js` of that action, I guess that is where it fails, but how can I make this pass? Am I doing something wrong or would this be a feature request?

kerem

2026-03-01 21:39:55 +03:00

closed this issue
added the
meta/duplicate

kind/question

area/runner
labels

kerem commented

2026-03-01 21:39:56 +03:00

Author

Owner

@cplee commented on GitHub (Mar 3, 2020):

Check out #107

Need to override the docker image that act uses

@cplee commented on GitHub (Mar 3, 2020): Check out #107 Need to override the docker image that `act` uses

kerem commented

2026-03-01 21:39:56 +03:00

Author

Owner

@mj3c commented on GitHub (Mar 3, 2020):

Ahh yes, I checked the other issues but not thoroughly enough.

It is a bit inconvenient that you have to choose between full compatibility with GitHub Actions by default and making your users pull an 18GB image, but your choice makes sense I think. This can be closed.

In any case, thank you for a prompt response and for providing an option for this!

@mj3c commented on GitHub (Mar 3, 2020): Ahh yes, I checked the other issues but not thoroughly enough. It is a bit inconvenient that you have to choose between full compatibility with GitHub Actions by default and making your users pull an 18GB image, but your choice makes sense I think. This can be closed. In any case, thank you for a prompt response and for providing an option for this!

kerem commented

2026-03-01 21:39:56 +03:00

Author

Owner

@sirkuttin commented on GitHub (Aug 1, 2023):

Check out #107

Need to override the docker image that act uses

which docker image can I use today to be able to perform the login via OIDC?

@sirkuttin commented on GitHub (Aug 1, 2023): > Check out #107 > > Need to override the docker image that `act` uses which docker image can I use today to be able to perform the login via OIDC?

kerem commented

2026-03-01 21:39:56 +03:00

Author

Owner

@matwerber1 commented on GitHub (Jan 3, 2024):

Check out #107
Need to override the docker image that act uses

which docker image can I use today to be able to perform the login via OIDC?

+1, I think I'm running into this issue.

Trying to use AWS's OIDC action. Partial excerpt below:

name: AWS CDK Deploy

on:
  push:
    branches:
      - main
      - develop

permissions:
  id-token: write
  contents: read

jobs:
  AssumeRoleAndDeploy:
    runs-on: ubuntu-latest
    environment:
      name: ${{ (github.ref == 'refs/heads/main') && 'aws_prod_v2' || 'aws_staging_v2' }}
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3

      - name: Print Environment Variables for Debugging
        run: |
          echo "Repository Name: ${{ github.repository }}"
          echo "Branch Name: ${{ github.ref_name }}"
          echo "Environment Name: ${{ vars.environment }}"
          echo "AWS Account ID: ${{ vars.AWS_ACCOUNT_ID }}"
          echo "AWS Region: ${{ vars.AWS_REGION }}"
          echo "IAM Role Name: ${{ vars.GH_ACTION_IAM_ROLE_NAME }}"


      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4.0.1
        with:
          role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.GH_ACTION_IAM_ROLE_NAME }}"
          aws-region: ${{ vars.AWS_REGION }}
          role-skip-session-tagging: true # required for the OIDC method of credential retrieval we're using

      - name: Log assumed IAM role
        run: aws sts get-caller-identity

Getting this error:

[AWS CDK Deploy/AssumeRoleAndDeploy]   🐳  docker exec cmd=[node /var/run/act/actions/aws-actions-configure-aws-credentials@v4.0.1/dist/index.js] user= workdir=
| It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message.

@matwerber1 commented on GitHub (Jan 3, 2024): > > Check out #107 > > Need to override the docker image that `act` uses > > which docker image can I use today to be able to perform the login via OIDC? +1, I think I'm running into this issue. Trying to use AWS's OIDC action. Partial excerpt below: ```yaml name: AWS CDK Deploy on: push: branches: - main - develop permissions: id-token: write contents: read jobs: AssumeRoleAndDeploy: runs-on: ubuntu-latest environment: name: ${{ (github.ref == 'refs/heads/main') && 'aws_prod_v2' || 'aws_staging_v2' }} steps: - name: Git clone the repository uses: actions/checkout@v3 - name: Print Environment Variables for Debugging run: | echo "Repository Name: ${{ github.repository }}" echo "Branch Name: ${{ github.ref_name }}" echo "Environment Name: ${{ vars.environment }}" echo "AWS Account ID: ${{ vars.AWS_ACCOUNT_ID }}" echo "AWS Region: ${{ vars.AWS_REGION }}" echo "IAM Role Name: ${{ vars.GH_ACTION_IAM_ROLE_NAME }}" - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4.0.1 with: role-to-assume: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.GH_ACTION_IAM_ROLE_NAME }}" aws-region: ${{ vars.AWS_REGION }} role-skip-session-tagging: true # required for the OIDC method of credential retrieval we're using - name: Log assumed IAM role run: aws sts get-caller-identity ``` Getting this error: ``` [AWS CDK Deploy/AssumeRoleAndDeploy] 🐳 docker exec cmd=[node /var/run/act/actions/aws-actions-configure-aws-credentials@v4.0.1/dist/index.js] user= workdir= | It looks like you might be trying to authenticate with OIDC. Did you mean to set the `id-token` permission? If you are not trying to authenticate with OIDC and the action is working successfully, you can ignore this message. ```

kerem commented

2026-03-01 21:39:56 +03:00

Author

Owner

@ChristopherHX commented on GitHub (Jan 3, 2024):

which docker image can I use today to be able to perform the login via OIDC?

none.

If you could authenticate using act via OIDC to aws, an attacker could do it as well.

oidc connect token are signed by the GitHub Actions Service
There is no api to manually request access to get an OIDC token URL
The OIDC token should create a trust between your aws account and GitHub Actions
The OIDC is meant to be used to limit trust to deployment environments, these jobs itself have additionl protections

At most you could get locally a self-signed oidc token, which is rejected by aws as long as you don't register your own jwk key as a trusted oidc source.

If you want to go the self-signed oidc way I can help you to get this working by porting my fake oidc provider to nektos/act. This is implemented in my similiar project for emulatating GitHub Actions.

@ChristopherHX commented on GitHub (Jan 3, 2024): > which docker image can I use today to be able to perform the login via OIDC? none. If you could authenticate using act via OIDC to aws, an attacker could do it as well. - oidc connect token are signed by the GitHub Actions Service - There is no api to manually request access to get an OIDC token URL - The OIDC token should create a trust between your aws account and GitHub Actions - The OIDC is meant to be used to limit trust to deployment environments, these jobs itself have additionl protections At most you could get locally a self-signed oidc token, which is rejected by aws as long as you don't register your own jwk key as a trusted oidc source. If you want to go the self-signed oidc way I can help you to get this working by porting my fake oidc provider to nektos/act. This is implemented in my similiar project for emulatating GitHub Actions.

kerem commented

2026-03-01 21:39:56 +03:00

Author

Owner

@dncrews commented on GitHub (Mar 14, 2025):

Same issue, but I got past it. I assume y'all figured this out too, but in case anyone in the future is as clueless about this as I was:

Just set the AWS credentials yourself:

aws sso login --profile name-of-profile-from~/.aws/config
aws configure export-credentials --format env > .env.aws
act --env-file .env.aws ...

Then I added this to the aws-actions steps to skip them:

        # nektos/act sets the environment variable `ACT` to "true" when running locally
        if: env.ACT != 'true'

Now if I could just get my editor to stop complaining that the environment variable doesn't exist... [open issue]

@dncrews commented on GitHub (Mar 14, 2025): Same issue, but I got past it. I assume y'all figured this out too, but in case anyone in the future is as clueless about this as I was: Just set the AWS credentials yourself: ```sh aws sso login --profile name-of-profile-from~/.aws/config aws configure export-credentials --format env > .env.aws act --env-file .env.aws ... ``` Then I added this to the `aws-actions` steps to skip them: ```yaml # nektos/act sets the environment variable `ACT` to "true" when running locally if: env.ACT != 'true' ``` Now if I could just get my editor to stop complaining that the environment variable doesn't exist... [[open issue](https://github.com/github/vscode-github-actions/issues/123)]

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#79

No description provided.

Rows
Columns