ECR docker login issues with CLI v2

[mjsteinbaugh]

Hi, I'm having trouble getting ECR to authenticate using CLI v2.

aws_account_id="000000000000"
aws_region="us-east-1"
ecr_url="${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"

First off, I'm having no issues using CLI v1.

# Using AWS CLI 1.
eval "$( \
    /usr/bin/aws ecr get-login \
        --no-include-email \
        --region "$aws_region" \
)"

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

But I'm having trouble using the default recommended method for CLI v2.

# Using AWS CLI 2.
aws ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "$ecr_url"

Error response from daemon: login attempt to
https://000000000000.dkr.ecr.us-east-1.amazonaws.com/v2/ failed with status:
400 Bad Request

This also isn't working, with the same error as above.

password="$(aws ecr get-login-password)"
docker login \
    --password "$password" \
    --username AWS \
    "$ecr_url"

I think there's some issue with the password encoding, because this alternate
approach currently works for me with CLI v2:

password="$( \
    aws ecr get-authorization-token \
        --region "${aws_region}" \
        --output text \
        --query 'authorizationData[].authorizationToken' \
        | base64 -d \
        | cut -d: -f2 \
)"
echo "$password" \
    | docker login \
        --password-stdin \
        --username AWS \
        "$ecr_url"

See also:
#2875

I didn't see any current issues related to this, so I figured a new one is appropriate:
https://github.com/aws/aws-cli/issues?utf8=%E2%9C%93&q=ecr+get-login-password+docker+login

Best,
Mike

[matthew-russo]

Hi Mike,

Thanks for bringing this issue to our attention.

Can you verify that the region you are getting the credential from is the same region that you are attempting to login to?
You can do this by changing your login command to:

aws --region ${aws_region} ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"

If that doesn't resolve the issue can you provide the following information:

• What operating system are you using and its version?
• What shell you are using and its version?
• What version of Docker are you using?
• Enable Docker debug logs (https://docs.docker.com/config/daemon/) and grab the tail of the Docker daemon logs (https://docs.docker.com/config/daemon/#read-the-logs)

Thanks

[dougch]

The previous suggestion was successful:

echo $(aws ecr get-login-password)|docker login --password-stdin --username AWS ${aws_account).dkr.ecr.us-west-2.amazonaws.com

[james-gonzalez]

To login to your current account ECR:

docker login -u AWS -p $(aws ecr get-login-password) https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com

[schollii]

@james-gonzalez Just a note that using docker ... -p $(aws ecr get-login-password) ... is not as safe as aws ecr get-login-password | docker ... --password-stdin ... because there are ways the password can end up visible (say with set -x), whereas this is not the case if using pipe from stdout to stdin (eg there is no mode that shows the data piped from one proc to another).

@dougch echo $(aws ecr get-login-password) | ... is the same as aws ecr get-login-password | ... but is in fact more dangerous for same reason as my note above.

[mjsteinbaugh]

@matthew-russo Nice, adding aws --region "${aws_region}" fixes the issue for me.

[philvarner]

As an example for anyone else who has this issue, in my script, I had to change

eval $(aws ecr get-login --region us-west-2 --no-include-email)

to

aws --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com

without the eval.

[stelukutla]

With --region works fine. I think ECR documentation should change with region values as mandatory.

Documentation is after creating a repository in ECR and then click on click Push Commands

[rpnguyen]

For anyone having issues, check that you've passed the correct --region parameter to the get-login-password command. We've updated the get-login-password examples to be more clear about this.

With --region works fine. I think ECR documentation should change with region values as mandatory.

@stelukutla done!

[nik786]

k=aws ecr get-login
s=echo $k | sed 's/-e//' | sed 's/none//' | sed 's/docker//' | sed 's/login//' | sed 's/-u//' | sed 's/AWS//' | sed 's/-p//'

#echo $p

docker login -u AWS -p $s
:-)

[apinazo]

I had this 400 Bad Request error when I was following the steps in the official documentation to login to the ECR with Docker.

But what worked for me was this command:

aws ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account}.dkr.ecr.${aws_region}.amazonaws.com/${repository_name}"

Note:

• aws_account: is the Account field from the identity, not the UserId
• repository_name: it was necessary to add this, without it I get the 400 error

[lanlin]

this works for me:

aws ecr get-login-password --region xxx  # for original region specific
aws ecr get-login-password --profile xxx  # for named profile config 

now copy the password string & paste to replace the below xxx (you can pipe to login directly, this is only for that you want to generate the password and send to other people)

echo xxx | docker login --password-stdin -u AWS  https://xxx.dkr.ecr.xxx.amazonaws.com

Since CLI v2 the config file uses a different naming format than the CLI credentials file for named profiles, the config file include the prefix word "profile".

PS: include the prefix word "profile" only when configuring a named profile in the config file.
Do not use the word profile when creating an entry in the credentials file.

~/.aws/config

[default]
region=us-west-2
output=json

[profile user1]
region=us-east-1
output=text

~/.aws/credentials

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user1]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY

[explorer855]

Hi Frenz,
Below AWS CLI command also works like a charm. I have also provided the AWS CLI version information installed on my machine.

Login to AWS cloud repository

aws ecr get-login-password --region {{region-name}} | docker login --username AWS --password-stdin {{ecr-url}}

Verison

aws --version
aws-cli/2.0.5 Python/3.7.3 Linux/4.4.0-18362-Microsoft botocore/2.0.0dev9

Initially, I struggled a lot with my pre-existing "sh" scripts after updating/installing the latest version of AWS CLI. Then the above command helped me a lot.
Above issue nolonger exists

Newly added issues

I'm unable to run "aws ecs update-service --force-new-deployment --cluster {{cluster-name}} --service {{service-name}}" command after upgrading to "aws-cli/2.0.6 Python/3.7.5 Windows/10 botocore/2.0.0dev10".

[shamonshan]

I am still facing the issue
aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin <account>.dkr.ecr.eu-central-1.amazonaws.com/

[shane-valtech]

This is the command that worked for me:
aws ecr get-login --no-include-email --region us-east-1 | sh

[jeffminsungkim]

None of them work.

[rpnguyen]

It looks like the original author's issue has been resolved and we've also improved documentation to be more clear based on feedback from this thread.

If there are different problems with the command, please submit a new issue making sure to include debug logs and environment information. I've asked repo maintainers to lock this thread.