AWS_ECR_IGNORE_CREDS_STORAGE=true still raises "not implemented" for docker logins against ECR repos

[pmcevoy]

Seeing the 0.9 release with this enhancment:

Enhancement - Added support for environment variable AWS_ECR_IGNORE_CREDS_STORAGE=true to ignore ADD and DELETE requests. This makes tools that try to docker login work with registries managed the amazon-ecr-credential-helper.

I expected if I called "docker login" with ECR creds (as returned by Get-EcrLoginCommand) that this variable would swallow, but I'm still seeing "not implemented"

With the 0.9 helper installed, and the AWS_ECR_IGNORE_CREDS_STORAGE set as a system environment variable (I restarted Docker Desktop and even my machine to ensure this env var is in all processes):

> . "C:\Program Files\Docker\Docker\resources\bin\docker-credential-ecr-login.exe" -v
amazon-ecr-credential-helper
Version:    0.9.0
Git commit: bef5bd9384b752e5c645659165746d5af23a098a
...
> $env:AWS_ECR_IGNORE_CREDS_STORAGE
true

I then attempt a docker login:

$ecrLogin = Get-EcRLoginCommand
...
> docker login --username AWS --password $ecrLogin.Password  https://123456789.dkr.ecr.eu-west-1.amazonaws.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`

My docker config.json is:

{
	"auths": {},
	"credsStore": "ecr-login",
	"currentContext": "mylinuxbox",
	"plugins": {
		"debug": {
			"hooks": "exec"
		},
		"scout": {
			"hooks": "pull,buildx build"
		}
	},
	"features": {
		"hooks": "true"
	}
}

Am I doing something wrong? Am I expecting the wrong behaviour from this new environment variable?

Sincerely
Pete

[swagatbora90]

Works fine on Linux:

% aws ecr get-login-password --region us-west-2 | finch login --username AWS --password-stdin <Account>.dkr.ecr.us-west-2.amazonaws.com
time="2025-01-21T10:35:31-08:00" level=fatal msg="error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`"

% export AWS_ECR_IGNORE_CREDS_STORAGE=true
% aws ecr get-login-password --region us-west-2 | finch login --username AWS --password-stdin <Account>.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded

This may be a Windows specific issue.

[pendo324]

Can you try running this command in a PowerShell? It will set the variable machine-wide.

[Environment]::SetEnvironmentVariable("AWS_ECR_IGNORE_CREDS_STORAGE", "true", "Machine")

You will likely have to re-open any console windows after running this (and maybe even restart docker).

[sondavidb]

Just wanted to confirm that @pendo324's solution worked when I tested it, if you can confirm this works for you @pmcevoy we can add this to our documentation and close the issue 🙂

[pmcevoy]

Hi ya,
Sorry for delay in replying - timezones etc. As my initial report says, I did set the variable as a system/machine environment var and indeed restarted my machine so that all processes would have the value

[sondavidb]

Hmm, that's definitely a little strange. Here's my setup, wondering if you can spot any notable differences, in case I missed something important when reproducing

PS C:\Users\Administrator> cat C:\Users\Administrator\.docker\config.json
{
        "auths": {},
        "credsStore": "ecr-login",
        "currentContext": "desktop-linux",
        "plugins": {
                "debug": {
                        "hooks": "exec"
                },
                "scout": {
                        "hooks": "pull,buildx build"
                }
        }
}
PS C:\Users\Administrator> docker login -u AWS -p $password 123456789012.dkr.ecr.us-west-2.amazonaws.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

Also just as a sanity check might want to see if you have docker-credential-ecr-login.exe installed in multiple places. Based on your initial report it does seem like it's in the right place but there's a nonzero chance that it's somehow using another one. (Though, I'm not sure how Docker decides which credential helper to use to begin with — I assume it invokes the CLI and thus relies on the Path variable to find the binary.)