Can't push image to Amazon ECR - fails with “no basic auth credentials”

Question

I\'m trying to push a docker image to an Amazon ECR registry. I\'m using docker client Docker version 1.9.1, build a34a1d5. I use aws ecr get-login --regi

Answer 1

Try with:

eval $(aws ecr get-login --no-include-email | sed 's|https://||')

before push.

Answer 2

The docker command given by aws-cli is little off...

When using docker login, docker will save a server:key pair either in your keychain or ~/.docker/config.json file

If it saves the key under https://7272727.dkr.ecr.us-east-1.amazonaws.com the lookup for the key during push will fail because docker will be looking for a server named 7272727.dkr.ecr.us-east-1.amazonaws.com not https://7272727.dkr.ecr.us-east-1.amazonaws.com.

Use the following command to login:

eval $(aws ecr get-login --no-include-email --region us-east-1 --profile yourprofile | sed 's|https://||')

Once you run the command you will get 'Login Succeeded' message and then you are good
after that your push command should work

Answer 3

I had this issue as well. What happened with me was I forgot to run the command that was returned to me after I ran

aws ecr get-login --region ap-southeast-2

This command returned a big blob, which includes the docker login command right there! I didn't realise. It should return something like this:

docker login -u AWS -p <your_token_which_is_massive> -e none <your_aws_url>

Copy and paste this command & then run your docker push command which looks something like this:

docker push 8888888.blah.blah.ap-southwest-1.amazonaws.com/dockerfilename

Answer 4

Make sure you use the correct region in aws ecr get-login, it must match the region in which your repository is created.

Answer 5

For Mac OSX

TL;DR Make sure your "auths" key matches your credential store key exactly

• Check your docker config:

cat ~/.docker/config.json

Sample Result:

{
    "auths": {
        "https://55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/19.03.5 (darwin)"
    },
    "credsStore": "osxkeychain"
}

Notice that the "auths" value is an empty object and docker is using a credential store "osxkeychain".

• Open Mac's "Keychain Access" app and find the name "Docker Credentials"

Notice the Where: field

• Make sure the auths key in ~/.docker/config.json matches the Where: field in Keychain Access.

If the auths key in ~/.docker/config.json does NOT match they Where: field in the keychain, you may get a Login Succeeded from docker login... but still get ERROR: Service 'web' failed to build: Get https://55511155511.dkr.ecr.us-east-1.amazonaws.com/v2/path/to/image/latest: no basic auth credentials when you try to pull.

In my case, I needed to add https://

Original

    "auths": {
        "55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
    },

Fixed

    "auths": {
        "https://55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
    },

Answer 6

I had this issue with a different cause: I needed to push to a registry not associated with my AWS Account (a client's ECR registry). The client had granted me access under the Permissions tab for the registry, by adding my IAM id (e.g., arn:aws:iam::{AWS ACCT #}:user/{Username}) as a Principal. I tried to login with the usual steps:

$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest

Which of course resulted in no basic auth credentials. As it turns out, aws ecr get-login logs you in to the ECR for the registry associated your login, which makes sense in retrospect. The solution is to tell aws ecr get-login which registry(s) you want to log in to.

$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})

After that, docker push works just fine.