Problem in getting result from 'aws ecr get-login'

Question

I am getting following error when given following command.

aws ecr get-login --region eu-central-1

Error

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::314xxxx91079:user/git is not authorized to perform: ecr:GetAuthorizationToken on resource: *

My admin has given me access for this 'GetAuthorizationToken' resource.

Most probably what I think the problem is 'arn:aws:iam::314xxxx91079:user/git' user being used for this command. When I login into aws console, I see my user name (IAM) as follow.

amit@iproxxx.com

How do I make 'get-login' to take this user name instead of user/git. I am very new to aws cli, and this command happens to be one of the build step.

Answer 1

For newer version just use

aws ecr get-login-password \
        --region us-east-1 | docker login \
        --username AWS \
        --password-stdin <account-id>.dkr.ecr.us-east-1.amazonaws.com

Answer 2

The AWS cli command looks good and the output should be similar to below

Sample output: 

docker login -u AWS -p password https://aws_account_id.dkr.ecr.eu-central-1.amazonaws.com

Please check if you have correctly set the AWS credentials for cli to use.

If not done, try below to configure the credentials

aws configure

AWS Access Key ID [None]: Access Key
AWS Secret Access Key [None]: Secret Key
Default region name [None]: eu-central-1
Default output format [None]: json

Note : This should be your default profile, else pass profile name as well for ecr get-login command

aws ecr get-login --region eu-central-1 --profile <profile name>

Hope this helps !!!

Answer 3

With newer versions of AWS CLI, we can request the password for ECR docker login with get-login-password and pipe the password to Docker login, something like:

aws ecr get-login-password \
    --region us-east-1 \
| docker login \
    --username AWS \
    --password-stdin 123456789101.dkr.ecr.us-east-1.amazonaws.com

Documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/get-login-password.html

with CLI V2, following syntax is going to throw error:

$(aws ecr get-login --no-include-email --region us-east-1)

 aws ecr get-login --no-include-email --region us-east-1
 usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
 To see help text, you can run:
 aws help
 aws <command> help
 aws <command> <subcommand> help
 aws: error: argument operation: Invalid choice, valid choices are:

Answer 4

Please find below the step that push the local docker image to AWS ECR we can get login succeeded:

1. C:>aws ecr get-login-password --no-verify We will get the password.Please find below the password column

2. C:\\docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-east-1.amazonaws.com

3. docker tag user-mysql account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry

4. Push the image on ECR : C:\\docker push account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry

Username : AWS
Password : eyJwYXlsb2Fk...kRBVEFfS0VZIn0=
ProxyEndpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
Endpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
ExpiresAt : 9/26/2017 6:08:23 AM
Command : docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-west-2.amazonaws.com

Answer 5

Adding this for anyone who needs to configure docker properly on Linux before trying to log into the ECR.

sudo groupadd docker

sudo usermod -aG docker $USER

newgrp docker

And then...

aws ecr get-login-password \
        --region <region> | docker login \
        --username AWS \
        --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com

Answer 6

I don't think anyone mentioned this but you could also run into this error if you don't have the right permissions set on your IAM user/role.

Specifically, you need to allow the ecr:GetAuthorizationToken action on resource * (since you can't limit this action on a specific resource yet).

{
    "Sid": "VisualEditor1",
    "Effect": "Allow",
    "Action": "ecr:GetAuthorizationToken",
    "Resource": "*"
}

With this permission granted, you can run either the command:

aws ecr get-login-password --region <region>

Or:

aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' --region <region>

More info: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html