Can't push image to Amazon ECR - fails with “n

2019-01-16 05:00发布

站内问答 / Docker
573 29 6

I'm trying to push a docker image to an Amazon ECR registry. I'm using docker client Docker version 1.9.1, build a34a1d5. I use "aws ecr get-login --region us-east-1" to get the docker login creds. I then successfully login with those creds as follows: 

docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded

But when I try to push my image I get the following error:

$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing 
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials

I made sure that the aws user had the correct permissions. I also made sure that the repository allowed that user to push to it. Just to make sure that wasn't an issue I set the registry to allow all users full access. Nothing changes the "no basic auth credentials" error. I don't know how to begin to debug this since all the traffic is encrypted.

UPDATE

So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.

29条回答
欢心
2楼-- · 2019-01-16 05:55

I ran into this issue as well running on OSX. I saw Oliver Salzburg's response and checked my ~/.docker/config.json. It had multiple authorization credentials inside it from the different AWS accounts I have. I deleted the file and after running get-login again it worked.

查看更多
0人赞 添加讨论(0) 举报
SAY GOODBYE
3楼-- · 2019-01-16 05:56

I had this issue with a different cause: I needed to push to a registry not associated with my AWS Account (a client's ECR registry). The client had granted me access under the Permissions tab for the registry, by adding my IAM id (e.g., arn:aws:iam::{AWS ACCT #}:user/{Username}) as a Principal. I tried to login with the usual steps:

$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest

Which of course resulted in no basic auth credentials. As it turns out, aws ecr get-login logs you in to the ECR for the registry associated your login, which makes sense in retrospect. The solution is to tell aws ecr get-login which registry(s) you want to log in to.

$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})

After that, docker push works just fine.

查看更多
0人赞 添加讨论(0) 举报
Animai°情兽
4楼-- · 2019-01-16 05:58

FWIW, Debian 9, Docker version 18.06.1-ce, build e68fc7a:

$(aws ecr get-login | sed 's| -e none | |g')

查看更多
0人赞 添加讨论(0) 举报
The star\"
5楼-- · 2019-01-16 05:59

In my case, after running aws ecr get-login --no-include-email --region *****, I just copied the output of that command with is of the form docker login -u *** -p ************, and you paste it in the prompt. The pushing went ahead.

查看更多
0人赞 添加讨论(0) 举报
Emotional °昔
6楼-- · 2019-01-16 05:59

If you are isolating AWS Accounts for CI/CD purpose and having one ECR repository shared among multiple AWS Accounts, you might need to change the ~/.docker/config.json manually.

Let's say you have these setups:

  1. ECR is owned by AWS Account ID 00000000000000
  2. CI server is owned by AWS Account ID 99999999999999

If you call aws ecr get-login --region us-west-2 | bash within your CI server, docker will generate temporary credentials in ~/.docker/config.json.

{
  "auths": {
    "https://99999999999999.dkr.ecr.us-west-2.amazonaws.com": {
      "auth": "long-token.."
    }
  }
}

But you want to point to the ECR's account, so you need to change the hostname.

{
  "auths": {
    "https://00000000000000.dkr.ecr.us-west-2.amazonaws.com": {
      "auth": "long-token.."
    }
  }
}

Note this situation relies how you form IAM user / policy to allow ECR access.

查看更多
0人赞 添加讨论(0) 举报
上一页 1 2 3 4 5
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)