How to pull AWS Lambda container image - amazon-web-services

I'm trying to run a Docker container on AWS Lambda.
Specifically I'm following this official tutorial
I have the following Dockerfile
FROM public.ecr.aws/lambda/nodejs:12
COPY app app.js package.json /var/task/
RUN npm install
CMD [ "app.handler" ]
But, when I try to build this I get the following error:
docker build -t hello-world .
Sending build context to Docker daemon 4.608kB
Step 1/4 : FROM public.ecr.aws/lambda/nodejs:12
pull access denied for public.ecr.aws/lambda/nodejs, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.
When I login with docker login command I still get the same error.
Does anyone know how to resolve this?

Works fine here. You shouldn't need credentials for Public ECR (you can use auth for specific cases) but if you just want to consume it, remove the existing credentials
docker logout public.ecr.aws
and then try the build again.
That said, if you still want to make use of the authentication, you need to re-auth as described in the doc
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

Related

Error when logging into ECR with Docker login: "Error saving credentials... not implemented"

I'm trying to log in to AWS ECR with the Docker login command. I can get a password with the AWS CLI with the command aws ecr get-login-password but when piping this into the docker login command I get the following error:
Error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`
The command I am running is the one recommended in the AWS ECR documentation:
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin account_id_redacted.dkr.ecr.us-east-1.amazonaws.com/blog-project
I'm running the latest version of AWS CLI as of this question, 2.0.57.
I'm running Docker version 2.4.0 on macOS 10.14.6
Has anyone else run into this issue, and if so have they found a solution?
I've definitely achieved this in the past, but I wonder if there is an issue between the latest versions of Docker and the AWS CLI...
I'm not 100% sure what the issue was here, but it was something to do with the Docker credentials helper.
I installed the Docker credentials helper for macOS, changed the credsStore parameter in ~/.docker/config.json to osxkeychain. That fixed the issues.
I had similar issue, seems like my ~/.docker/config.json was totally messed after work with multiple repos / hubs.
So I just wiped out all the content in this file leaving it empty and rerun aws ecr get-login-password | docker login ... which automatically populated config with appropriate values.
I had this issue on macOS from
.docker/config.json
remove
"credsStore" : "ecr-login"
This resolved the issue for me
if anybody has the same problem on windows then go to C:\Users folder and in the .docker folder remove the config.json file.
it might fix your problem
I believe this is the intended result (sorta). The point of using amazon-ecr-credential-helper is to not need to use docker login. You should instead configure the AWS CLI with your profile credentials (mine: myprofile). Then, you would just need to slightly modify your scripts.
For example, in ECR the AWS given steps to upload a docker image are:
Retrieve an authentication token and authenticate your Docker client
to your registry. Use the AWS CLI:
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin XXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com
Note: If you receive an error using the AWS CLI, make sure that you have the latest version of
the AWS CLI and Docker installed.
Build your Docker image using the
following command. For information on building a Docker file from
scratch see the instructions here . You can skip this step if your
image is already built:
docker build -t toy_project .
After the build completes, tag your
image so you can push the image to this repository:
docker tag toy_project:latest XXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/toy_project:latest
Run the following command to push this image to your newly created AWS
repository:
docker push XXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/toy_project:latest
However, you would want to skip step 1. The reason is that if you configured aws cli (i.e. aws configure --profile myprofile) then your credentials will be stored. So you can skip to step 2.
On the 4th step, you simply need to add AWS_PROFILE, just like below
AWS_PROFILE=myprofile docker push XXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/toy_project:latest`
With amazon-ecr-credential-helper, you no longer need to use docker login or worry about storing credentials, that is the point of amazon-ecr-credential-helper. However, this may not be the best solution for you if you need to actively use docker login in your scripts.
Note: my ~/.docker/config.json looks like
{
"credsStore": "ecr-login"
}
I was getting the same error while running this command on MacOS.
Error possibly occurred because that particular location didn't have the appropriate permissions for users read/write/execute.
Also while I was doing
% docker ps
It was giving an error as: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
What I did:
% sudo chmod 777 /var/run/docker.sock
This gave all the required permissions to that location.
Hope it would help!

How to refresh AWS authentication token for EKS cluster

I am authenticating via the following
First I authenticate into AWS via the following
aws ecr get-login-password --region cn-north-1 | docker login --username AWS --password-stdin xxxxxxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn
Then I created the regcred file that I reference in my deployment config
kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/noobskie/.docker/config.json --type=kubernetes.io/dockerconfigjson
So this was working fine the first 12 hours but now that the AWS token has expired I am having trouble figuring out how to properly refresh it. I have rerun the first command but it doesn't work.
the error I get is
Error response from daemon: pull access denied for xxxxxxxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn/baopals, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.
EDIT
I have just discovered that I can just reconfigure with the following command but I am curious if this is the correct way to handle it and if there are any other AWS ways offered.
kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/noobskie/.docker/config.json --dry-run -o yaml | kubectl apply -f -
Use the following command to generate token if aws-cli and aws-iam-authenticator is installed and configured.
aws-iam-authenticator token -i cluster name

Issue with Docker Login with AWS ECR

I'm following an aws tutorial to deploy a simple application using containers on aws. I'm trying to connect to AWS's ECR using docker and i get a warning message which doesnt allow me to login.
I'm brand new to the world of docker, containers and aws. I was going through aws tutorials to deploy a simple nodejs application using docker containers into aws per the following instructions:
https://aws.amazon.com/getting-started/projects/break-monolith-app-microservices-ecs-docker-ec2/module-one/
Per instructions, i've installed docker, AWS CLI and created a AWS ECR for docker to access. I've basically got till the following step:
Step 4 Build and Push the docker image - Point 2 - getting login
As per point 2, i copy pasted the login details (docker login -u AWS -p ) and ran it and i got the following warning message which isnt allowing me to login or push the docker image to ECR. I tried to research online a lot on what to change. There are lots of articles mentioning the issue but no clear direction as to what exactly to do. I'm not exactly sure where in the command i should use --password-stdin. I've also tried what was provided in the following link [Docker: Using --password via the CLI is insecure. Use --password-stdin but that didnt work either
Expected result:
Login succeeded
Actual result:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
the warning is fine. have you verified whether the docker push/pull is working ?

Unable to update the docker image. Error : repository does not exist or may require 'docker login''

I have deploy watchtower which automatically update running Docker containers inside Docker Swarm.
I run this Docker Swarm on two AWS EC2 servers and use AWS ECR as Docker registry.
to avoid aws ecr get-login I have used Amazon ECR Docker Credential Helper which Automatically gets credentials for Amazon ECR on docker push/docker pull and no need to login ech 12 hours.
Problem is watchtower is throwing a error like :
time="2019-03-12T03:41:10Z" level=info msg="Unable to update container /crmproxy.1.wop3c1u2qktbkab8rukrlrgr6, err='Error response from daemon: pull access denied for 00000000000.dkr..amazonaws.com/crm, repository does not exist or may require 'docker login''. Proceeding to next."
I am sure that is not about login to ECR. I have correctly linked credentials into WATCHTOWER contaiener using docker-compose.yml file.
here is the watchtower configurations on docker-compose.yml file.
watchtower:
image: v2tec/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ~/.docker/config.json:/config.json
command: --interval 30
In my research about this issue, I saw others has same problem as me and there is person has fixed it him self but i don't understand it.
this is the what i found : solution that is unclear
I don't exactly know this answer is correct or not. but he has said :
The problem was that I installed docker as root. Now installed with
the ec2-user of the Amazon Linux AMI and working
Please help me to avoid this problem that I'm facing. I tried so many times.
Any help would be adavantage to me.
There's an additional dot in your image url. Might that be the reason for your issue?
00000000000.dkr..amazonaws.com/crm
^
Also, you may just add the ec2-user to the docker group to let it execute docker commands as well: sudo usermod -aG docker ec2-user. No need to reinstall.

Getting sagemaker container locally

When I try to run sagemaker locally for tensorflow in script mode. It seems like I cannot pull the docker container. I have ran the code below from a sagemaker notebook instance and everything ran fine. But when running it on my machine it doesn't work.
How can I download the container, so I can debug things locally?
import os
import sagemaker
from sagemaker.tensorflow import TensorFlow
hyperparameters = {}
role = 'arn:aws:iam::xxxxxxxx:role/yyyyyyy'
estimator = TensorFlow(
entry_point='train.py',
source_dir='.',
train_instance_type='local',
train_instance_count=1,
hyperparameters=hyperparameters,
role=role,
py_version='py3',
framework_version='1.12.0',
script_mode=True)
estimator.fit()
I get this output
INFO:sagemaker:Creating training-job with name: sagemaker-tensorflow-
scriptmode-2019-01-28-18-51-57-787
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: pull access denied for 520713654638.dkr.ecr.eu-west-2.amazonaws.com/sagemaker-tensorflow-scriptmode, repository does not exist or may require 'docker login'
subprocess.CalledProcessError: Command 'docker pull 520713654638.dkr.ecr.eu-west-2.amazonaws.com/sagemaker-tensorflow-scriptmode:1.12.0-cpu-py3' returned non-zero exit status 1.
The warning looks like the output you get when using the docker login stuff here. If I follow these steps to register to the directory with tensorflow container it says login success
Invoke-Expression -Command (aws ecr get-login --no-include-email --registry-ids 520713654638 --region eu-west-2)
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
But then I still cannot pull it
docker pull 520713654638.dkr.ecr.eu-west-2.amazonaws.com/sagemaker-tensorflow-scriptmode:1.11.0-cpu-py3
Error response from daemon: pull access denied for 520713654638.dkr.ecr.eu-west-2.amazonaws.com/sagemaker-tensorflow-scriptmode, repository does not exist or may require 'docker login'
the same sequence works for me locally : 'aws ecr get-login', 'docker login', 'docker pull'.
Does your local IAM user have sufficient credentials to pull from ECR? The 'AmazonEC2ContainerRegistryReadOnly' policy should be enough: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html
Alternatively, you can grab the container from Github and build it: https://github.com/aws/sagemaker-tensorflow-container