Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECR docker login issues with CLI v2 #4962

Closed
mjsteinbaugh opened this issue Feb 14, 2020 · 16 comments
Closed

ECR docker login issues with CLI v2 #4962

mjsteinbaugh opened this issue Feb 14, 2020 · 16 comments
Labels
response-requested

Comments

@mjsteinbaugh
Copy link

@mjsteinbaugh mjsteinbaugh commented Feb 14, 2020

Hi, I'm having trouble getting ECR to authenticate using CLI v2.

aws_account_id="000000000000"
aws_region="us-east-1"
ecr_url="${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"

First off, I'm having no issues using CLI v1.

# Using AWS CLI 1.
eval "$( \
    /usr/bin/aws ecr get-login \
        --no-include-email \
        --region "$aws_region" \
)"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

But I'm having trouble using the default recommended method for CLI v2.

# Using AWS CLI 2.
aws ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "$ecr_url"
Error response from daemon: login attempt to
https://000000000000.dkr.ecr.us-east-1.amazonaws.com/v2/ failed with status:
400 Bad Request

This also isn't working, with the same error as above.

password="$(aws ecr get-login-password)"
docker login \
    --password "$password" \
    --username AWS \
    "$ecr_url"

I think there's some issue with the password encoding, because this alternate
approach currently works for me with CLI v2:

password="$( \
    aws ecr get-authorization-token \
        --region "${aws_region}" \
        --output text \
        --query 'authorizationData[].authorizationToken' \
        | base64 -d \
        | cut -d: -f2 \
)"
echo "$password" \
    | docker login \
        --password-stdin \
        --username AWS \
        "$ecr_url"

See also:
#2875

I didn't see any current issues related to this, so I figured a new one is appropriate:
https://github.com/aws/aws-cli/issues?utf8=%E2%9C%93&q=ecr+get-login-password+docker+login

Best,
Mike

@matthew-russo
Copy link

@matthew-russo matthew-russo commented Feb 14, 2020

Hi Mike,

Thanks for bringing this issue to our attention.

Can you verify that the region you are getting the credential from is the same region that you are attempting to login to?
You can do this by changing your login command to:

aws --region ${aws_region} ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"

If that doesn't resolve the issue can you provide the following information:

Thanks

@KaibaLopez KaibaLopez added the response-requested label Feb 18, 2020
@dougch
Copy link

@dougch dougch commented Feb 18, 2020

The previous suggestion was successful:

echo $(aws ecr get-login-password)|docker login --password-stdin --username AWS ${aws_account).dkr.ecr.us-west-2.amazonaws.com

@james-gonzalez
Copy link

@james-gonzalez james-gonzalez commented Feb 19, 2020

To login to your current account ECR:

docker login -u AWS -p $(aws ecr get-login-password) https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com

@schollii
Copy link

@schollii schollii commented Feb 26, 2020

@james-gonzalez Just a note that using docker ... -p $(aws ecr get-login-password) ... is not as safe as aws ecr get-login-password | docker ... --password-stdin ... because there are ways the password can end up visible (say with set -x), whereas this is not the case if using pipe from stdout to stdin (eg there is no mode that shows the data piped from one proc to another).

@dougch echo $(aws ecr get-login-password) | ... is the same as aws ecr get-login-password | ... but is in fact more dangerous for same reason as my note above.

@mjsteinbaugh
Copy link
Author

@mjsteinbaugh mjsteinbaugh commented Feb 26, 2020

@matthew-russo Nice, adding aws --region "${aws_region}" fixes the issue for me.

@philvarner
Copy link

@philvarner philvarner commented Feb 27, 2020

As an example for anyone else who has this issue, in my script, I had to change

eval $(aws ecr get-login --region us-west-2 --no-include-email)

to

aws --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com

without the eval.

@stelukutla
Copy link

@stelukutla stelukutla commented Feb 27, 2020

With --region works fine. I think ECR documentation should change with region values as mandatory.

Documentation is after creating a repository in ECR and then click on click Push Commands

@rpnguyen
Copy link
Contributor

@rpnguyen rpnguyen commented Mar 6, 2020

For anyone having issues, check that you've passed the correct --region parameter to the get-login-password command. We've updated the get-login-password examples to be more clear about this.

With --region works fine. I think ECR documentation should change with region values as mandatory.

@stelukutla done!

@nik786
Copy link

@nik786 nik786 commented Mar 15, 2020

k=aws ecr get-login
s=echo $k | sed 's/-e//' | sed 's/none//' | sed 's/docker//' | sed 's/login//' | sed 's/-u//' | sed 's/AWS//' | sed 's/-p//'

#echo $p

docker login -u AWS -p $s
:-)

@apinazo
Copy link

@apinazo apinazo commented Mar 26, 2020

I had this 400 Bad Request error when I was following the steps in the official documentation to login to the ECR with Docker.

But what worked for me was this command:

aws ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account}.dkr.ecr.${aws_region}.amazonaws.com/${repository_name}"

Note:

  • aws_account: is the Account field from the identity, not the UserId
  • repository_name: it was necessary to add this, without it I get the 400 error

@lanlin
Copy link

@lanlin lanlin commented Mar 30, 2020

this works for me:

aws ecr get-login-password --region xxx  # for original region specific
aws ecr get-login-password --profile xxx  # for named profile config 

now copy the password string & paste to replace the below xxx (you can pipe to login directly, this is only for that you want to generate the password and send to other people)

echo xxx | docker login --password-stdin -u AWS  https://xxx.dkr.ecr.xxx.amazonaws.com

Since CLI v2 the config file uses a different naming format than the CLI credentials file for named profiles, the config file include the prefix word "profile".

PS: include the prefix word "profile" only when configuring a named profile in the config file.
Do not use the word profile when creating an entry in the credentials file.

~/.aws/config

[default]
region=us-west-2
output=json

[profile user1]
region=us-east-1
output=text

~/.aws/credentials

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

@explorer855
Copy link

@explorer855 explorer855 commented Mar 31, 2020

Hi Frenz,
Below AWS CLI command also works like a charm. I have also provided the AWS CLI version information installed on my machine.

Login to AWS cloud repository

aws ecr get-login-password --region {{region-name}} | docker login --username AWS --password-stdin {{ecr-url}}

Verison

aws --version
aws-cli/2.0.5 Python/3.7.3 Linux/4.4.0-18362-Microsoft botocore/2.0.0dev9

Initially, I struggled a lot with my pre-existing "sh" scripts after updating/installing the latest version of AWS CLI. Then the above command helped me a lot.
Above issue nolonger exists

Newly added issues

I'm unable to run "aws ecs update-service --force-new-deployment --cluster {{cluster-name}} --service {{service-name}}" command after upgrading to "aws-cli/2.0.6 Python/3.7.5 Windows/10 botocore/2.0.0dev10".

@shamonshan
Copy link

@shamonshan shamonshan commented Apr 8, 2020

I am still facing the issue
aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin <account>.dkr.ecr.eu-central-1.amazonaws.com/

beseven added a commit to beseven/application-container-platform that referenced this issue Apr 17, 2020
Update documentation on an upgraded version of AWS CLI Based on suggestions from this thread aws/aws-cli#4962
@shane-valtech
Copy link

@shane-valtech shane-valtech commented Apr 22, 2020

This is the command that worked for me:
aws ecr get-login --no-include-email --region us-east-1 | sh

@jeffminsungkim
Copy link

@jeffminsungkim jeffminsungkim commented Apr 27, 2020

None of them work.

@rpnguyen
Copy link
Contributor

@rpnguyen rpnguyen commented Apr 28, 2020

It looks like the original author's issue has been resolved and we've also improved documentation to be more clear based on feedback from this thread.

If there are different problems with the command, please submit a new issue making sure to include debug logs and environment information. I've asked repo maintainers to lock this thread.

@aws aws locked as resolved and limited conversation to collaborators Apr 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
response-requested
Projects
None yet
Development

No branches or pull requests