Can't push image to Amazon ECR - fails with “no basic auth credentials”

Question

I\'m trying to push a docker image to an Amazon ECR registry. I\'m using docker client Docker version 1.9.1, build a34a1d5. I use aws ecr get-login --regi

Answer 1

There's a known bug in the wincred credential manager on Windows. Removing 'https://' from the generated login command solves this.

docker login -u AWS -p <password> <aws_account_id>.dkr.ecr.<region>.amazonaws.com

instead of

docker login -u AWS -p <password> https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com

See also the troubleshooting page.

Answer 2

I faced the same issue and the mistake I did was using the wrong repo path

eg: docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest

In the above path this is where I've done the mistake: In "dkr.ecr.us-east-1.amazonaws.com" instead of "west". I was using "east". Once I corrected my mistake, I was able to push the image successfully.

Answer 3

This should have worked even without opening up the permissions. See the documentation: Private Registry Authentication.

[Edit: actually, I had permissions problems too when doing a second test. See Docker push to AWS ECR private repo failing with malformed JSON).]

Nevertheless I had the same problem; I don't know why, but I successfully used the more long-winded auth mechanism described in the docs for get-authorization-token

AWS CLI and Docker versions:

$ aws --version
aws-cli/1.9.17 Python/2.7.6 Linux/3.16.0-38-generic botocore/1.3.17
$ docker --version
Docker version 1.9.1, build a34a1d5

Get the auth token ('docker password').

aws ecr get-authorization-token --region us-east-1 --output text \
    --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2

Note: My ~/.aws/config specifies a different default region, so I needed to explicitly set --region us-east-1.

Log in interactively (change ############ to your AWS account id):

docker login -u AWS https://############.dkr.ecr.us-east-1.amazonaws.com/
password: <paste the very long password from above>
email: <I left this blank>

Push an image (assuming you've made a docker image test):

docker tag test:latest ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
docker push ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
The push refers to a repository [910732017890.dkr.ecr.us-east-1.amazonaws.com/test] (len: 1)
d5122f58a2e1: Pushed 
7bddbca3b908: Pushed 
latest: digest: sha256:bc0b521fd398bd1a2ef58a289dcb910334608723fd570e7bddb36eacd0060363 size: 4378

Answer 4

There has just been an update where get-login was removed from AWS, instead use get-login-password:

sudo docker login -u AWS -p $(aws ecr get-login-password --region <region> - 
-profile <profile>) <account id>.dkr.ecr.eu-north-1.amazonaws.com 

Dont forget to remove the --profile flag if using default credentials

Answer 5

My issue was having multiple AWS credentials; default and dev. Since I was trying to deploy to dev this worked:

$(aws ecr get-login --no-include-email --region eu-west-1 --profile dev | sed 's|https://||')

Answer 6

we also encounter this issue today and tried everything mentionned in this post (except generating AWS credentials).

We finally solved the problem by simply upgrading Docker, then the push worked.

The problem was encountered with Docker 1.10.x and was solved with Docker 1.11.x.

Hope this helps