AWS ECR Login with podman - amazon-web-services

Good morning/afternoon/night!
Can you help me, please?
I'm working with RHEL 8.2 and this version doesn't support Docker. I installled Podman and everything was ok until I use the following command:
$(aws ecr get-login --no-include-email --region us-east-1)
But, it doesn't work because it's from Docker (I thought it was from AWS Cli).
The error is:
# $(aws ecr get-login --no-include-email --region us-east-1)
-bash: docker: command not found
I've been searching for an answer and some people used a command like this:
podman login -u AWS -p ....
But I tried some flags and the image, but nothing is working!
What is the equivalent command for podman?
Thanks!

The above command is not associated to docker alone.
It is an AWS cli command to authenticate into the private container image registry(ECR).
Run the below command to get the password for container registry
aws ecr get-login-password --region us-east-1
Then use the password against the below command
podman login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com

This is how the password from aws ecr is piped to podman using AWS CLI. BTW, the username AWS is hardwired and so never needs to be changed:
$ aws ecr get-login-password --region us-east-1 | \
podman login \
--username AWS \
--password-stdin \
<aws_account_id>.dkr.ecr.<region>.amazonaws.com
Podman will use the IAM credentials for the dev profile in ~/.aws/credentials to log into that AWS account:
[default]
aws_access_key_id = ********************
aws_secret_access_key = ****************************************
region = us-east-1
[dev]
aws_access_key_id = ********************
aws_secret_access_key = ****************************************
region = us-east-1
This is how real values can be looked up for profile dev:
$ export AWS_PROFILE=dev
$ AWS_ACCOUNT="$( aws sts get-caller-identity \
--query Account \
--output text
)"
$ AWS_REGION="$( aws configure get region )"
$ aws ecr get-login-password \
--region $AWS_REGION | \
podman login \
--password-stdin \
--username AWS \
$AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com
The above is from my blog post on the subject.

Related

Jenkins hiding output from aws ecr get-login-password

Hi I trying to prevent aws ecr get-login-password from printing to the Jenkins log. i'm currently doing
sh """
aws ecr get-login-password \
--region <region> \
| skopeo login \
--username AWS \
--password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com
"""
The problem with this is that it prints the output from aws ecr get-login-password into the Jenkins log
log example:
aws ecr get-login-password --region us-west-1
+ skopeo login --username us-aws-user --password
password is printed here

I cant push Docker image to AWS ecr

I'm trying to push a Docker image from Dockerfile built to AWS ECR but when run this command:
$ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
appears the error:
An error occurred (AccessDeniedException) when calling the
GetAuthorizationToken operation: User:
arn:aws:iam::477629773586:user/albertosanmartin is not authorized to
perform: ecr:GetAuthorizationToken on resource: * Error: Cannot
perform an interactive login from a non TTY device
I have installed and configured those files:
~/.aws/configure:
[default]
...
[mrthink]
region = eu-west-1
output = json
~/.aws/credentials
[default]
...
[mrthink]
aws_access_key_id = ****
aws_secret_access_key = ****
Seems to the command api get other user "albertosanmartin"
Anybody could help me please ?
Thanks in advance.
If you have your credentials configured under mrthink profile name in ~/.aws/credentials you need to pass the --profile param to the aws cli
$ aws --profile mrthink ecr get-login-password \
--region eu-west-1 |\
docker login --username AWS \
--password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
The user arn:aws:iam::477629773586:user/albertosanmartin doesnt have access to ECR
You can double-check your credentials via sts get-caller-identity call if they are which you want to use.

Pulling image from Amazon ECR from Bitbucket Pipelines

I'm trying to pull a docker image from private Amazon Docker repository (ECR) from Bitbucket pipelines.
I'm doing the following:
script:
- aws ecr get-login --registry-ids $AWS_ID --no-include-email --region $AWS_REGION
- docker run -d -p 9092:9092 --name=kapi $AWS_ID.dkr.ecr.$AWS_REGION.amazonaws.com/company/kapi:1.0
The error I see on Pipelines:
docker: Error response from daemon: Get https://$AWS_ID.dkr.ecr.$AWS_REGION.amazonaws.com/v2/company/kapi/manifests/1.0: no basic auth credentials.
Well the error seems pretty clear :
no basic auth credentials
aws ecr get-login return a command to execute in order to login. I don't know which platform do you use, but if your're using linux,
Try to execute the command returned by AWS:
$(aws ecr get-login --registry-ids $AWS_ID --no-include-email --region $AWS_REGION)
You should receive a message from docker that you are successfully logged in :
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded
 Debug
You can still debug if it's still not working by running the command manually:
aws ecr get-login --registry-ids $AWS_ID --no-include-email --region $AWS_REGION
It should return something like :
docker login -u AWS -p ALongText https://ID.dkr.ecr.REGION.amazonaws.com
The aws ecr get-login command generates a docker login command. Unless you eval it, it won't actually log you in to the registry. This should work provided your AWS_ACCESS_ID and AWS_ACCESS_SECRET are correct:
eval $(aws ecr get-login --registry-ids $AWS_ID --no-include-email --region $AWS_REGION)
Your script step should look like:
script:
- aws ecr get-login --registry-ids $AWS_ID --no-include-email --region $AWS_REGION
- docker run -d -p 9092:9092 --name=kapi $AWS_ID.dkr.ecr.$AWS_REGION.amazonaws.com/company/kapi:1.0

Problem in getting result from 'aws ecr get-login'

I am getting following error when given following command.
aws ecr get-login --region eu-central-1
Error
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::314xxxx91079:user/git is not authorized to perform: ecr:GetAuthorizationToken on resource: *
My admin has given me access for this 'GetAuthorizationToken' resource.
Most probably what I think the problem is 'arn:aws:iam::314xxxx91079:user/git' user being used for this command. When I login into aws console, I see my user name (IAM) as follow.
amit#iproxxx.com
How do I make 'get-login' to take this user name instead of user/git. I am very new to aws cli, and this command happens to be one of the build step.
For newer version just use
aws ecr get-login-password \
--region us-east-1 | docker login \
--username AWS \
--password-stdin <account-id>.dkr.ecr.us-east-1.amazonaws.com
The AWS cli command looks good and the output should be similar to below
Sample output:
docker login -u AWS -p password https://aws_account_id.dkr.ecr.eu-central-1.amazonaws.com
Please check if you have correctly set the AWS credentials for cli to use.
If not done, try below to configure the credentials
aws configure
AWS Access Key ID [None]: Access Key
AWS Secret Access Key [None]: Secret Key
Default region name [None]: eu-central-1
Default output format [None]: json
Note : This should be your default profile, else pass profile name as well for ecr get-login command
aws ecr get-login --region eu-central-1 --profile <profile name>
Hope this helps !!!
With newer versions of AWS CLI, we can request the password for ECR docker login with get-login-password and pipe the password to Docker login, something like:
aws ecr get-login-password \
--region us-east-1 \
| docker login \
--username AWS \
--password-stdin 123456789101.dkr.ecr.us-east-1.amazonaws.com
Documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/get-login-password.html
with CLI V2, following syntax is going to throw error:
$(aws ecr get-login --no-include-email --region us-east-1)
aws ecr get-login --no-include-email --region us-east-1
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:
Please find below the step that push the local docker image to AWS ECR
we can get login succeeded:
C:>aws ecr get-login-password --no-verify
We will get the password.Please find below the password column
C:\docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-east-1.amazonaws.com
docker tag user-mysql account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry
Push the image on ECR : C:\docker push account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry
Username : AWS
Password : eyJwYXlsb2Fk...kRBVEFfS0VZIn0=
ProxyEndpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
Endpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
ExpiresAt : 9/26/2017 6:08:23 AM
Command : docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-west-2.amazonaws.com
Adding this for anyone who needs to configure docker properly on Linux before trying to log into the ECR.
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
And then...
aws ecr get-login-password \
--region <region> | docker login \
--username AWS \
--password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com
I don't think anyone mentioned this but you could also run into this error if you don't have the right permissions set on your IAM user/role.
Specifically, you need to allow the ecr:GetAuthorizationToken action on resource * (since you can't limit this action on a specific resource yet).
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
With this permission granted, you can run either the command:
aws ecr get-login-password --region <region>
Or:
aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' --region <region>
More info:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html

Not able to login to AWS ECR Repository through docker login command

Not able to login to AWS ECR Repository through docker login command.
Using command -
docker login REPO_URL
After I enter username and password the result is 401 Unauthorized.
What could be the issue ?
You need to first request for the authorization token from ECR using AWS CLI and then extract the password from it and then, call docker login command.
Refer - https://docs.aws.amazon.com/cli/latest/reference/ecr/get-authorization-token.html
In my case this worked:
aws ecr get-login-password
--region
| docker login
--username AWS
--password-stdin <aws_account_id>.dkr.ecr..amazonaws.com
it was on page
https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
Do this to login: $(aws ecr get-login --no-include-email --region us-east-1)
This worked for me:
aws ecr get-login-password \
--region MYREGION \
| docker login \
--username AWS \
--password-stdin ACCOUNTID.dkr.ecr.MYREGION.amazonaws.com
Copy paste it in the terminal and replace the placeholders (MYREGION and ACCOUNTID)