I'm trying to push a Docker image from Dockerfile built to AWS ECR but when run this command:
$ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
appears the error:
An error occurred (AccessDeniedException) when calling the
GetAuthorizationToken operation: User:
arn:aws:iam::477629773586:user/albertosanmartin is not authorized to
perform: ecr:GetAuthorizationToken on resource: * Error: Cannot
perform an interactive login from a non TTY device
I have installed and configured those files:
~/.aws/configure:
[default]
...
[mrthink]
region = eu-west-1
output = json
~/.aws/credentials
[default]
...
[mrthink]
aws_access_key_id = ****
aws_secret_access_key = ****
Seems to the command api get other user "albertosanmartin"
Anybody could help me please ?
Thanks in advance.
If you have your credentials configured under mrthink profile name in ~/.aws/credentials you need to pass the --profile param to the aws cli
$ aws --profile mrthink ecr get-login-password \
--region eu-west-1 |\
docker login --username AWS \
--password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
The user arn:aws:iam::477629773586:user/albertosanmartin doesnt have access to ECR
You can double-check your credentials via sts get-caller-identity call if they are which you want to use.
Related
I have two AWS profiles associated with different accounts configured on my machine as shown below.
[profile staging]
sso_start_url = https://xxxxxxxxxx.awsapps.com/start
sso_region = us-west-2
sso_account_id = xxxxxxxxxxxxx
sso_role_name = staging
region = us-west-2
output = json
[profile dev]
region = us-east-1
output = json
I am looking to pull a docker image from ECR which is present in account (A) corresponding to the staging profile
However, when I am trying to pull the image it is trying with my dev profile which doesn't have access to the repo in account (A)
Following are the commands
aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin xxxxxxxxxxxx.dkr.ecr.eu-west-2.amazonaws.com
Login Succeeded
docker pull xxxxxxxxxxxx.dkr.ecr.eu-west-2.amazonaws.com/sample-image:latest
Getting access denied error for "arn:aws:iam::XXXXXXXXXXXXX:user\iam-user" which is associated to my dev profile
Please suggest what could be the issue.
As mentioned by jordanm in the comments above, answer is to use --profile option while using the command as shown below
aws ecr get-login-password --region eu-west-2 --profile=staging | docker login --username AWS --password-stdin xxxxxxxxxxxx.dkr.ecr.eu-west-2.amazonaws.com
In the beginning, this command worked. But, now it is not working.
aws configure
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com
output is:
An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid
Error: Cannot perform an interactive login from a non TTY device
aws cli version is:
aws --version
aws-cli/2.2.41 Python/3.8.8 Linux/4.15.0-101-generic exe/x86_64.linuxmint.19 prompt/off
When I use different computer with same access-key and secret-key, following command works:
aws configure
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com
output was:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
So, I think access-key and secret-key are fine. And, there is something wrong with aws-cli configuration. I have also tried reinstalling aws-cli but no success.
Source I used to reinstall aws-cli:
reinstall aws-cli
OS in which it's not working: Linux Mint 19
OS in which it worked: Ubuntu 20.04
I was running aws ecr command in root user which was not giving proper error message.
When I run aws ecr command in public user, then it gave a proper error message, i.e., Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock; So, I changed the permission of this file docker.sock from user root to public user and group docker to docker using command:
chown myPublicUser:docker /var/run/docker.sock
Now, run aws ecr using public user, it should work.
Good morning/afternoon/night!
Can you help me, please?
I'm working with RHEL 8.2 and this version doesn't support Docker. I installled Podman and everything was ok until I use the following command:
$(aws ecr get-login --no-include-email --region us-east-1)
But, it doesn't work because it's from Docker (I thought it was from AWS Cli).
The error is:
# $(aws ecr get-login --no-include-email --region us-east-1)
-bash: docker: command not found
I've been searching for an answer and some people used a command like this:
podman login -u AWS -p ....
But I tried some flags and the image, but nothing is working!
What is the equivalent command for podman?
Thanks!
The above command is not associated to docker alone.
It is an AWS cli command to authenticate into the private container image registry(ECR).
Run the below command to get the password for container registry
aws ecr get-login-password --region us-east-1
Then use the password against the below command
podman login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com
This is how the password from aws ecr is piped to podman using AWS CLI. BTW, the username AWS is hardwired and so never needs to be changed:
$ aws ecr get-login-password --region us-east-1 | \
podman login \
--username AWS \
--password-stdin \
<aws_account_id>.dkr.ecr.<region>.amazonaws.com
Podman will use the IAM credentials for the dev profile in ~/.aws/credentials to log into that AWS account:
[default]
aws_access_key_id = ********************
aws_secret_access_key = ****************************************
region = us-east-1
[dev]
aws_access_key_id = ********************
aws_secret_access_key = ****************************************
region = us-east-1
This is how real values can be looked up for profile dev:
$ export AWS_PROFILE=dev
$ AWS_ACCOUNT="$( aws sts get-caller-identity \
--query Account \
--output text
)"
$ AWS_REGION="$( aws configure get region )"
$ aws ecr get-login-password \
--region $AWS_REGION | \
podman login \
--password-stdin \
--username AWS \
$AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com
The above is from my blog post on the subject.
I am getting following error when given following command.
aws ecr get-login --region eu-central-1
Error
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::314xxxx91079:user/git is not authorized to perform: ecr:GetAuthorizationToken on resource: *
My admin has given me access for this 'GetAuthorizationToken' resource.
Most probably what I think the problem is 'arn:aws:iam::314xxxx91079:user/git' user being used for this command. When I login into aws console, I see my user name (IAM) as follow.
amit#iproxxx.com
How do I make 'get-login' to take this user name instead of user/git. I am very new to aws cli, and this command happens to be one of the build step.
For newer version just use
aws ecr get-login-password \
--region us-east-1 | docker login \
--username AWS \
--password-stdin <account-id>.dkr.ecr.us-east-1.amazonaws.com
The AWS cli command looks good and the output should be similar to below
Sample output:
docker login -u AWS -p password https://aws_account_id.dkr.ecr.eu-central-1.amazonaws.com
Please check if you have correctly set the AWS credentials for cli to use.
If not done, try below to configure the credentials
aws configure
AWS Access Key ID [None]: Access Key
AWS Secret Access Key [None]: Secret Key
Default region name [None]: eu-central-1
Default output format [None]: json
Note : This should be your default profile, else pass profile name as well for ecr get-login command
aws ecr get-login --region eu-central-1 --profile <profile name>
Hope this helps !!!
With newer versions of AWS CLI, we can request the password for ECR docker login with get-login-password and pipe the password to Docker login, something like:
aws ecr get-login-password \
--region us-east-1 \
| docker login \
--username AWS \
--password-stdin 123456789101.dkr.ecr.us-east-1.amazonaws.com
Documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/get-login-password.html
with CLI V2, following syntax is going to throw error:
$(aws ecr get-login --no-include-email --region us-east-1)
aws ecr get-login --no-include-email --region us-east-1
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:
Please find below the step that push the local docker image to AWS ECR
we can get login succeeded:
C:>aws ecr get-login-password --no-verify
We will get the password.Please find below the password column
C:\docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-east-1.amazonaws.com
docker tag user-mysql account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry
Push the image on ECR : C:\docker push account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry
Username : AWS
Password : eyJwYXlsb2Fk...kRBVEFfS0VZIn0=
ProxyEndpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
Endpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
ExpiresAt : 9/26/2017 6:08:23 AM
Command : docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-west-2.amazonaws.com
Adding this for anyone who needs to configure docker properly on Linux before trying to log into the ECR.
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
And then...
aws ecr get-login-password \
--region <region> | docker login \
--username AWS \
--password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com
I don't think anyone mentioned this but you could also run into this error if you don't have the right permissions set on your IAM user/role.
Specifically, you need to allow the ecr:GetAuthorizationToken action on resource * (since you can't limit this action on a specific resource yet).
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
With this permission granted, you can run either the command:
aws ecr get-login-password --region <region>
Or:
aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' --region <region>
More info:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html
Not able to login to AWS ECR Repository through docker login command.
Using command -
docker login REPO_URL
After I enter username and password the result is 401 Unauthorized.
What could be the issue ?
You need to first request for the authorization token from ECR using AWS CLI and then extract the password from it and then, call docker login command.
Refer - https://docs.aws.amazon.com/cli/latest/reference/ecr/get-authorization-token.html
In my case this worked:
aws ecr get-login-password
--region
| docker login
--username AWS
--password-stdin <aws_account_id>.dkr.ecr..amazonaws.com
it was on page
https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
Do this to login: $(aws ecr get-login --no-include-email --region us-east-1)
This worked for me:
aws ecr get-login-password \
--region MYREGION \
| docker login \
--username AWS \
--password-stdin ACCOUNTID.dkr.ecr.MYREGION.amazonaws.com
Copy paste it in the terminal and replace the placeholders (MYREGION and ACCOUNTID)