Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECR docker login issues with CLI v2 #4962

Closed
mjsteinbaugh opened this issue Feb 14, 2020 · 11 comments
Closed

ECR docker login issues with CLI v2 #4962

mjsteinbaugh opened this issue Feb 14, 2020 · 11 comments

Comments

@mjsteinbaugh
Copy link

@mjsteinbaugh mjsteinbaugh commented Feb 14, 2020

Hi, I'm having trouble getting ECR to authenticate using CLI v2.

aws_account_id="000000000000"
aws_region="us-east-1"
ecr_url="${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"

First off, I'm having no issues using CLI v1.

# Using AWS CLI 1.
eval "$( \
    /usr/bin/aws ecr get-login \
        --no-include-email \
        --region "$aws_region" \
)"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

But I'm having trouble using the default recommended method for CLI v2.

# Using AWS CLI 2.
aws ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "$ecr_url"
Error response from daemon: login attempt to
https://000000000000.dkr.ecr.us-east-1.amazonaws.com/v2/ failed with status:
400 Bad Request

This also isn't working, with the same error as above.

password="$(aws ecr get-login-password)"
docker login \
    --password "$password" \
    --username AWS \
    "$ecr_url"

I think there's some issue with the password encoding, because this alternate
approach currently works for me with CLI v2:

password="$( \
    aws ecr get-authorization-token \
        --region "${aws_region}" \
        --output text \
        --query 'authorizationData[].authorizationToken' \
        | base64 -d \
        | cut -d: -f2 \
)"
echo "$password" \
    | docker login \
        --password-stdin \
        --username AWS \
        "$ecr_url"

See also:
#2875

I didn't see any current issues related to this, so I figured a new one is appropriate:
https://github.com/aws/aws-cli/issues?utf8=%E2%9C%93&q=ecr+get-login-password+docker+login

Best,
Mike

@matthew-russo

This comment has been minimized.

Copy link

@matthew-russo matthew-russo commented Feb 14, 2020

Hi Mike,

Thanks for bringing this issue to our attention.

Can you verify that the region you are getting the credential from is the same region that you are attempting to login to?
You can do this by changing your login command to:

aws --region ${aws_region} ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"

If that doesn't resolve the issue can you provide the following information:

Thanks

@dougch

This comment has been minimized.

Copy link

@dougch dougch commented Feb 18, 2020

The previous suggestion was successful:

echo $(aws ecr get-login-password)|docker login --password-stdin --username AWS ${aws_account).dkr.ecr.us-west-2.amazonaws.com
@james-gonzalez

This comment has been minimized.

Copy link

@james-gonzalez james-gonzalez commented Feb 19, 2020

To login to your current account ECR:

docker login -u AWS -p $(aws ecr get-login-password) https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com

@schollii

This comment has been minimized.

Copy link

@schollii schollii commented Feb 26, 2020

@james-gonzalez Just a note that using docker ... -p $(aws ecr get-login-password) ... is not as safe as aws ecr get-login-password | docker ... --password-stdin ... because there are ways the password can end up visible (say with set -x), whereas this is not the case if using pipe from stdout to stdin (eg there is no mode that shows the data piped from one proc to another).

@dougch echo $(aws ecr get-login-password) | ... is the same as aws ecr get-login-password | ... but is in fact more dangerous for same reason as my note above.

@mjsteinbaugh

This comment has been minimized.

Copy link
Author

@mjsteinbaugh mjsteinbaugh commented Feb 26, 2020

@matthew-russo Nice, adding aws --region "${aws_region}" fixes the issue for me.

@philvarner

This comment has been minimized.

Copy link

@philvarner philvarner commented Feb 27, 2020

As an example for anyone else who has this issue, in my script, I had to change

eval $(aws ecr get-login --region us-west-2 --no-include-email)

to

aws --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com

without the eval.

@stelukutla

This comment has been minimized.

Copy link

@stelukutla stelukutla commented Feb 27, 2020

With --region works fine. I think ECR documentation should change with region values as mandatory.

Documentation is after creating a repository in ECR and then click on click Push Commands

@rpnguyen

This comment has been minimized.

Copy link
Contributor

@rpnguyen rpnguyen commented Mar 6, 2020

For anyone having issues, check that you've passed the correct --region parameter to the get-login-password command. We've updated the get-login-password examples to be more clear about this.

With --region works fine. I think ECR documentation should change with region values as mandatory.

@stelukutla done!

@nik786

This comment has been minimized.

Copy link

@nik786 nik786 commented Mar 15, 2020

k=aws ecr get-login
s=echo $k | sed 's/-e//' | sed 's/none//' | sed 's/docker//' | sed 's/login//' | sed 's/-u//' | sed 's/AWS//' | sed 's/-p//'

#echo $p

docker login -u AWS -p $s
:-)

@apinazo

This comment has been minimized.

Copy link

@apinazo apinazo commented Mar 26, 2020

I had this 400 Bad Request error when I was following the steps in the official documentation to login to the ECR with Docker.

But what worked for me was this command:

aws ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account}.dkr.ecr.${aws_region}.amazonaws.com/${repository_name}"

Note:

  • aws_account: is the Account field from the identity, not the UserId
  • repository_name: it was necessary to add this, without it I get the 400 error
@lanlin

This comment has been minimized.

Copy link

@lanlin lanlin commented Mar 30, 2020

this works for me:

aws ecr get-login-password --region xxx  # for original region specific
aws ecr get-login-password --profile xxx  # for named profile config 

now copy the password string & paste to replace the below xxx (you can pipe to login directly, this is only for that you want to generate the password and send to other people)

echo xxx | docker login --password-stdin -u AWS  https://xxx.dkr.ecr.xxx.amazonaws.com

Since CLI v2 the config file uses a different naming format than the CLI credentials file for named profiles, the config file include the prefix word "profile".

PS: include the prefix word "profile" only when configuring a named profile in the config file.
Do not use the word profile when creating an entry in the credentials file.

~/.aws/config

[default]
region=us-west-2
output=json

[profile user1]
region=us-east-1
output=text

~/.aws/credentials

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.