Thank you for reaching out to Buildkite support.
I can see from your logs that AWS_ACCOUNT_ID and AWS_DEFAULT_REGION are showing as empty, which may be causing your ECR login to fail.
To help troubleshoot this, could you share:
How are you setting these AWS environment variables? Are they configured at the agent level, in your pipeline settings, or somewhere else?
What type of agents are you using? You mentioned “default agents” but are these Buildkite’s hosted agents, your own self-managed agents, or something like the Elastic CI Stack?
Can you share the build URL where you’re seeing this issue? That would help me see the full context and potentially spot other configuration details.
The fact that these variables are completely empty (not just undefined) suggests they might not be getting set at all, or there could be an issue with how they’re being passed to the build environment. Once I know more about your setup, I can give you more specific guidance on the best way to configure these values for your particular agent type.
Thanks for the detailed pictures.
But I can see that there is no agent token in this cluster which is puzzling considering that the build ran.
I am also still unclear about what agent you are using. In Buildkite, you create a cluster which contains queues, and agents connect to specific queues using agent tokens.
Can you please share the build URL? I would be able to take a closer look at things that way from the backend.
From what I can tell, you’ve added secrets to your cluster, and when calling them from an environment variable, they’re not populating.
If that’s the case - it looks like we’re missing a pre-requisite step in the process here as the secrets are handled by the Buildkite Agent, which needs to be explicitly told to fetch the secret in order to populate them as an environment variable.
We’ve got documentation on how to Use a buildkite secret in a job. There are a few ways you could go about it here in your case.
You could look to set up an Agent hook (environment would work fine in your example) which would then pre-load the environment variables before the job executes. Alternatively, you could run something to the effect of below within your Setup step’s command section:
export AWS_ACCOUNT_ID=$(buildkite-agent secret get AWS_ACCOUNT_ID)
export AWS_DEFAULT_REGION=$(buildkite-agent secret get AWS_DEFAULT_REGION)
With that being said - we would recommend going the plugin route with this one as it’s the absolute cleanest way about it. We have the ecr-buildkite-plugin to handle this before your command step executes. This will automatically use any profile available to the Agent, and can be configured in conjunction with other plugins such as aws-assume-role-with-web-identity-buildkite-plugin to handle authentication from an assumed role.
This will use standard AWS credentials available in the environment, or as an instance role or task role as available. These must be granted appropriate permissions for login to succeed and for push and pull to operate.
Alternatively, you could explore our docker-cache-buildkite-plugin, as this can be used to eliminate a few steps you have in your pipeline, as it would handle the authentication, as well as the build and push of your Dockerfile.
We’ve got quite a lot of plugins that could enhance your experience with Buildkite, as well as streamline your pipeline for a variety of tasks. You can see more plugins on our Buildkite Plugins page!
Might I ask if you are setting buildkite-agent secret get somewhere in the job? If not, I would suggest you set this in the environment hook. This would allow the agent to globally run that command, thereby making the variables available to all the steps in your pipeline.
As for example pipelines, there are examples in the plugins that Joe linked for you previously. Each plugin repo contains clear and detailed examples on how to use it.
,
