I'm trying to push a docker image to an Amazon ECR registry. I'm using docker client Docker version 1.9.1, build a34a1d5
. I use aws ecr get-login --region us-east-1
to get the docker login creds. Then I successfully login with those creds as follows:
docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded
But when I try to push my image I get the following error:
$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials
I made sure that the aws user had the correct permissions. I also made sure that the repository allowed that user to push to it. Just to make sure that wasn't an issue I set the registry to allow all users full access. Nothing changes the "no basic auth credentials"
error. I don't know how to begin to debug this since all the traffic is encrypted.
UPDATE
So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure
to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
. So when I did aws ecr get-login
it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.
if you run $(aws ecr get-login --region us-east-1)
it will be all done for you
get-login
is now deprecated in version 1 of the AWS CLI. If you're using version 2 of the AWS CLI, you must use get-login-password
.
You can pipe the output of get-login-password
to your docker login command to authenticate docker to your ECR registry:
aws ecr get-login-password | docker login --username AWS --password-stdin ####.dkr.ecr.us-east-1.amazonaws.com
Now you should be able to docker push
and have it go straight to your ECR registry.
In my case this was a bug with Docker for Windows and their support for the Windows Credential Manager.
Open your ~/.docker/config.json
and remove the "credsStore": "wincred"
entry.
This will cause credentials to be written to the config.json
directly. You'll have to log in again afterwards.
You can track this bug through the tickets #22910 and #24968 on GitHub.
如果您使用配置文件,请不要忘记将--profile=XXX
传递给aws ecr get-login
--profile=XXX
aws ecr get-login
。
Since AWS CLI version 2 - aws ecr get-login
is deprecated and the correct method is aws ecr get-login-password
.
Therefore the correct and updated answer is the following: docker login -u AWS -p $(aws ecr get-login-password --region us-east-1) xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com
I had this issue as well. What happened with me was I forgot to run the command that was returned to me after I ran
aws ecr get-login --region ap-southeast-2
This command returned a big blob, which includes the docker login
command right there! I didn't realise. It should return something like this:
docker login -u AWS -p <your_token_which_is_massive> -e none <your_aws_url>
Copy and paste this command & then run your docker push command which looks something like this:
docker push 8888888.blah.blah.ap-southwest-1.amazonaws.com/dockerfilename
This should have worked even without opening up the permissions. See the documentation: Private Registry Authentication .
[Edit: actually, I had permissions problems too when doing a second test. See Docker push to AWS ECR private repo failing with malformed JSON ).]
Nevertheless I had the same problem; I don't know why, but I successfully used the more long-winded auth mechanism described in the docs for get-authorization-token
AWS CLI and Docker versions:
$ aws --version
aws-cli/1.9.17 Python/2.7.6 Linux/3.16.0-38-generic botocore/1.3.17
$ docker --version
Docker version 1.9.1, build a34a1d5
Get the auth token ('docker password').
aws ecr get-authorization-token --region us-east-1 --output text \
--query authorizationData[].authorizationToken | base64 -d | cut -d: -f2
Note: My ~/.aws/config specifies a different default region, so I needed to explicitly set --region us-east-1
.
Log in interactively (change ############
to your AWS account id):
docker login -u AWS https://############.dkr.ecr.us-east-1.amazonaws.com/
password: <paste the very long password from above>
email: <I left this blank>
Push an image (assuming you've made a docker image test
):
docker tag test:latest ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
docker push ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
The push refers to a repository [910732017890.dkr.ecr.us-east-1.amazonaws.com/test] (len: 1)
d5122f58a2e1: Pushed
7bddbca3b908: Pushed
latest: digest: sha256:bc0b521fd398bd1a2ef58a289dcb910334608723fd570e7bddb36eacd0060363 size: 4378
Try with:
eval $(aws ecr get-login --no-include-email | sed 's|https://||')
before push.
If it helps anyone...
My problem was that I had to use the --profile
option in order to authenticate with the proper profile from the credentials file.
Next, I had ommitted the --region [region_name]
command, which also gave the "no basic auth credentials" error.
The solution for me was changing my command from this:
aws ecr get-login
To this:
aws --profile [profile_name] ecr get-login --region [region_name]
Example:
aws --profile foo ecr get-login --region us-east-1
Hope that helps someone!
There's a known bug in the wincred credential manager on Windows. Removing 'https://' from the generated login command solves this.
docker login -u AWS -p <password> <aws_account_id>.dkr.ecr.<region>.amazonaws.com
instead of
docker login -u AWS -p <password> https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com
See also the troubleshooting page .
I experienced the same issue.
Generating new AWS credentials (access keys) and reconfiguring AWS CLI with new credentials resolved the problem.
Earlier, aws ecr get-login --region us-east-1
generated docker login command with invalid EC registry URL.
eval $(aws ecr get-login --region us-east-1)
eval $(aws ecr get-login --region us-east-1 --profile your-profile)
docker build -t image-name .
docker tag image-name:latest ############.dkr.ecr.us-east-1.amazonaws.com/image-name:latest
docker push ############.dkr.ecr.us-east-1.amazonaws.com/image-name:latest
In case of error, make sure you run all the commands again! The credentials you get using aws ecr get-login
are temporary and will expire.
在PowerShell 中的Windows上,使用:
Invoke-Expression $(aws ecr get-login --no-include-email)
I had this issue with a different cause: I needed to push to a registry not associated with my AWS Account (a client's ECR registry). The client had granted me access under the Permissions tab for the registry, by adding my IAM id (eg, arn:aws:iam::{AWS ACCT #}:user/{Username}
) as a Principal. I tried to login with the usual steps:
$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest
Which of course resulted in no basic auth credentials
. As it turns out , aws ecr get-login
logs you in to the ECR for the registry associated your login , which makes sense in retrospect. The solution is to tell aws ecr get-login
which registry(s) you want to log in to.
$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})
After that, docker push
works just fine.
In my case, after running aws ecr get-login --no-include-email --region *****
, I just copied the output of that command with is of the form docker login -u *** -p ************
, and you paste it in the prompt. The pushing went ahead.
There has just been an update where get-login was removed from AWS, instead use get-login-password:
sudo docker login -u AWS -p $(aws ecr get-login-password --region <region> -
-profile <profile>) <account id>.dkr.ecr.eu-north-1.amazonaws.com
Dont forget to remove the --profile flag if using default credentials
The AWS documents tell you to execute the following command (for ap-southeast-2 region)
aws ecr get-login --region ap-southeast-2
When I bumped into this issue, it wasn't clear to me based on that docs that you need to enter the result of this command into the terminal and execute it.
Fix that worked for me to was to copy the result to the clipboard with
aws ecr get-login --region ap-southeast-2 | pbcopy
Paste the result into the command line and execute it
After run this command:
(aws ecr get-login --no-include-email --region us-west-2)
just run the docker login command from the output
docker login -u AWS -p epJ....
is the way that docker login into ECR
The docker command given by aws-cli is little off...
When using docker login, docker will save a server:key pair either in your keychain or ~/.docker/config.json file
If it saves the key under https://7272727.dkr.ecr.us-east-1.amazonaws.com
the lookup for the key during push will fail because docker will be looking for a server named 7272727.dkr.ecr.us-east-1.amazonaws.com
not https://7272727.dkr.ecr.us-east-1.amazonaws.com
.
Use the following command to login:
eval $(aws ecr get-login --no-include-email --region us-east-1 --profile yourprofile | sed 's|https://||')
Once you run the command you will get 'Login Succeeded'
message and then you are good
after that your push command should work
This error generally gets thrown if ecr login has failed. I am using windows system and I used "Powershell" in Administrator mode to login to ecr first.
Invoke-Expression $(aws ecr get-login --no-include-email)
This should output "Login succeeded".
Docker CLI doesn't support native IAM authentication methods. To authenticate and authorize Docker push and pull requests follow this step.
Step - 1
Check whether aws credentials properly configured or not. To configure AWS credentials run the following command and give your aws credentials.
aws configure
step - 2
you can authenticate Docker to an Amazon ECR private registry with get-login-password (recommended)
linux and msc
aws ecr get-login-password --region <your region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<your region>.amazonaws.com
for windows
(Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.<your region>.amazonaws.com
or
you can also use --get-login method (but expose credentials) (not recommended).
for linux and mac
$(aws ecr get-login --region <your region> --no-include-email)
for windows
Invoke-Expression -Command (Get-ECRLoginCommand -Region <your region>).Command
if you got Login Succeeded then you are good to go. else refer aws docs for error
step - 3
Tag your image
docker tag <aws_account_id>.dkr.ecr..amazonaws.com/my-web-app
Push your image with following command.
docker push <aws_account_id>.dkr.ecr..amazonaws.com/my-web-app
Note: this is token based login and the generated authorize token valid only for 12H
I faced the same issue and the mistake I did was using the wrong repo path
eg: docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest
In the above path this is where I've done the mistake: In "dkr.ecr.us-east-1.amazonaws.com"
instead of "west"
. I was using " east"
. Once I corrected my mistake, I was able to push the image successfully.
Following command works for me:
sudo $(aws ecr get-login --region us-east-1 --no-include-email)
And Then I run these commands:
sudo docker tag e9ae3c220b23(image_id) aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app
sudo docker push aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app
Just adding to this as in case someone out there is suffering from never Reading The F Manual like me
I followed all the suggested steps from above such as
aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.eu-west-1.amazonaws.com
And always got the no basic auth credentials
I had created a registry named
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace
and was trying to push an image called alpine:latest
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine:latest
2c6e8b76de: Preparing
9d4cb0c1e9: Preparing
1ca55f6ab4: Preparing
b6fd41c05e: Waiting
ad44a79b33: Waiting
2ce3c1888d: Waiting
no basic auth credentials
Silly mistake on my behalf as I must create a registry in ecr using the full container path.
I created a new registry using the full container path, not ending on the namespace
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine
and low and behold pushing to
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine:latest
The push refers to repository [123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine]
0c8667b5b: Pushed
730460948: Pushed
1.0: digest: sha256:e1f814f3818efea45267ebfb4918088a26a18c size: 7
works just fine
I ran into this issue as well running on OSX. I saw Oliver Salzburg's response and checked my ~/.docker/config.json. It had multiple authorization credentials inside it from the different AWS accounts I have. I deleted the file and after running get-login again it worked.
确保在aws ecr get-login
使用正确的区域,它必须与创建存储库的区域相匹配。
My issue was having multiple AWS credentials; default and dev. Since I was trying to deploy to dev this worked:
$(aws ecr get-login --no-include-email --region eu-west-1 --profile dev | sed 's|https://||')
FWIW,Debian 9,Docker 版本 18.06.1-ce,构建 e68fc7a:
$(aws ecr get-login | sed 's| -e none | |g')
如果您使用多个配置文件并且需要登录到非默认配置文件,则需要使用以下命令登录:
$(AWS_PROFILE=<YOUR PROFILE> aws ecr get-login --no-include-email --region eu-west-1)
There is a very simple way to push docker images to ECR: Amazon ECR Docker Credential Helper . Just install it according to the provided guide, update your ~/.docker/config.json
as the following:
{
"credsStore": "ecr-login"
}
and you will be able to push/pull your images without docker login
.
cat ~/.docker/config.json
Sample Result:
{
"auths": {
"https://55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.5 (darwin)"
},
"credsStore": "osxkeychain"
}
Notice that the "auths" value is an empty object and docker is using a credential store "osxkeychain".
Notice the Where:
field
auths
key in ~/.docker/config.json
matches the Where:
field in Keychain Access. If the auths
key in ~/.docker/config.json does NOT match they Where:
field in the keychain, you may get a Login Succeeded
from docker login...
but still get ERROR: Service 'web' failed to build: Get https://55511155511.dkr.ecr.us-east-1.amazonaws.com/v2/path/to/image/latest: no basic auth credentials
when you try to pull.
In my case, I needed to add https://
Original
"auths": {
"55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
},
Fixed
"auths": {
"https://55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
},
I was struggling with the same. Please follow the below steps -
Please Note - in.dkr.ecr.us-west-2.amazonaws.com, the region would be your default region. It is us-west-2 for me hence the same.
Hope this saves your time.
we also encounter this issue today and tried everything mentionned in this post (except generating AWS credentials).
We finally solved the problem by simply upgrading Docker, then the push worked.
The problem was encountered with Docker 1.10.x and was solved with Docker 1.11.x.
Hope this helps
If you are isolating AWS Accounts for CI/CD purpose and having one ECR repository shared among multiple AWS Accounts, you might need to change the ~/.docker/config.json
manually.
Let's say you have these setups:
00000000000000
99999999999999
If you call aws ecr get-login --region us-west-2 | bash
aws ecr get-login --region us-west-2 | bash
within your CI server, docker will generate temporary credentials in ~/.docker/config.json
.
{
"auths": {
"https://99999999999999.dkr.ecr.us-west-2.amazonaws.com": {
"auth": "long-token.."
}
}
}
But you want to point to the ECR's account, so you need to change the hostname.
{
"auths": {
"https://00000000000000.dkr.ecr.us-west-2.amazonaws.com": {
"auth": "long-token.."
}
}
}
Note this situation relies how you form IAM user / policy to allow ECR access.
You have to make sure you have logged in using correct credentials, See the offical error description and checks here
http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html
Fixing "no basic authentication" is described in the link
aws ecr get-login --region us-west-1 --no-include-email
This command gives me correct command to login. If you dont use "--no-include-email",it will throw another error. Output of the above command looks like this docker login -u AWS -p **********************very big******. Copy that and execute it. Now it will show "Login Succeeded". Now you can push your image to ECR.
Make sure that your AMI rule has the permission for the user you tried to login.
只需运行第一步中返回的任何内容即可解决问题。
That error message is coming from docker and it not necessarily related to AWS as I have gotten same error when not using AWS ... its just saying docker is not getting authorization to proceed from whatever source of auth it happens to be using
In my case, in test I removed directory ~/.docker and got that error ... after I bounced my local docker registry then docker push was fine
In my case (and probably in all cases), this error resulted from having multiple AWS accounts. So, AWS ECR is not using the right aws credentials assosciated with the aws account.
I tried multiple solutions mentioned here, but did not succeed. It worked after using tokens instead of username and password . I got it working following the instructions here. https://btburnett.com/2017/01/docker-login-for-amazon-aws-ecr-using-windows-powershell.html
我添加了区域选项,一切正常对我来说很好:
aws ecr get-login --no-include-email --region eu-west-3
I posted an answer to this on the Docker forums. In my case the issue was that the centos "docker" was not equivalent to Docker CE and therefore failed with:
no basic auth
I simply fixed by installing "docker-ce" on centos.
Reference: https://forums.docker.com/t/docker-push-to-ecr-failing-with-no-basic-auth-credentials/17358/30
I was facing the same issue and fixed it with this command. It works for me, please update it as per your account. This is for Ubuntu machine where AWS-CLI needs to be installed with Docker
algorithm_name='multi-model-xgboost'
account=$(aws sts get-caller-identity --query Account --output text)
# Get the region defined in the current configuration
region=$(aws configure get region)
aws ecr get-login-password --region ${region} | docker login --username AWS --password-stdin ${account}.dkr.ecr.${region}.amazonaws.com/${algorithm_name}
So I installed aws-credentials-helper
by downloading the repo and compiling it myself. I discovered that I used the wrong compile command: make docker
instead of make docker TARGET_GOOS=darwin
(I'm on Mac). The resulting bin/local/docker-credential-ecr-login
was not executable initially.
I had to run aws ecr get-login-password due to aws cli deprecating the get-login command.
Also in this version the username is forced to be hard coded as AWS.
Here was the command that worked for aws-cli/2.0.58.
aws ecr get-login-password --region region_y | docker login --username AWS --password-stdin account_x.dkr.ecr.region_y.amazonaws.com
Login Succeeded
On Windows system, you have to make empty the following file ~/.docker/config.json
and then run again the below script
aws ecr get-login --no-include-email --region ap-southeast-1 --profile [profile_name]
Make sure the user with which you are running Docker locally is the one which you use to eventually push the image. For me running with sudo caused the issue. Removing sudo from the command solved it. Hope this helps and saves someone`s time and nobody makes this same dumb mistake again. Below is the output for your reference.
sudo docker push {your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}:{tag-name}
The push refers to repository [{your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}]
f13afaa342eb: Preparing
d01b75ce3235: Preparing
7eaa58141607: Preparing
519e8c5b2557: Preparing
15d4a3a33fec: Preparing
fdbbf41b1ab8: Waiting
4b88ecda5399: Waiting
e23a8e1e773f: Waiting
6623e2cc11cd: Waiting
no basic auth credentials
Running without the sudo worked perfectly fine
docker push {your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}:{tag-name}
The push refers to repository [{your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}]
f13afaa342eb: Pushed
d01b75ce3235: Pushed
7eaa58141607: Pushed
519e8c5b2557: Pushed
15d4a3a33fec: Pushed
fdbbf41b1ab8: Pushed
4b88ecda5399: Pushed
e23a8e1e773f: Pushed
6623e2cc11cd: Pushed
{tag-name}: digest: sha256:5ceaa5bf7605559582960b6d56a8eece9486ce0950bca9dd63a0dcd38a520bf0 size: 4293
AWS depricated get-login instead of that please use following command
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <ecr-repo-full-path>
example
aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin 607348619222.dkr.ecr.ap-south-1.amazonaws.com
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.