Problem in getting result from 'aws ecr get-login' - amazon-web-services

I am getting following error when given following command.
aws ecr get-login --region eu-central-1
Error
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::314xxxx91079:user/git is not authorized to perform: ecr:GetAuthorizationToken on resource: *
My admin has given me access for this 'GetAuthorizationToken' resource.
Most probably what I think the problem is 'arn:aws:iam::314xxxx91079:user/git' user being used for this command. When I login into aws console, I see my user name (IAM) as follow.
amit#iproxxx.com
How do I make 'get-login' to take this user name instead of user/git. I am very new to aws cli, and this command happens to be one of the build step.

For newer version just use
aws ecr get-login-password \
--region us-east-1 | docker login \
--username AWS \
--password-stdin <account-id>.dkr.ecr.us-east-1.amazonaws.com

The AWS cli command looks good and the output should be similar to below
Sample output:
docker login -u AWS -p password https://aws_account_id.dkr.ecr.eu-central-1.amazonaws.com
Please check if you have correctly set the AWS credentials for cli to use.
If not done, try below to configure the credentials
aws configure
AWS Access Key ID [None]: Access Key
AWS Secret Access Key [None]: Secret Key
Default region name [None]: eu-central-1
Default output format [None]: json
Note : This should be your default profile, else pass profile name as well for ecr get-login command
aws ecr get-login --region eu-central-1 --profile <profile name>
Hope this helps !!!

With newer versions of AWS CLI, we can request the password for ECR docker login with get-login-password and pipe the password to Docker login, something like:
aws ecr get-login-password \
--region us-east-1 \
| docker login \
--username AWS \
--password-stdin 123456789101.dkr.ecr.us-east-1.amazonaws.com
Documentation: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/get-login-password.html
with CLI V2, following syntax is going to throw error:
$(aws ecr get-login --no-include-email --region us-east-1)
aws ecr get-login --no-include-email --region us-east-1
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:

Please find below the step that push the local docker image to AWS ECR
we can get login succeeded:
C:>aws ecr get-login-password --no-verify
We will get the password.Please find below the password column
C:\docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-east-1.amazonaws.com
docker tag user-mysql account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry
Push the image on ECR : C:\docker push account_id.dkr.ecr.us-east-1.amazonaws.com/dockerregistry
Username : AWS
Password : eyJwYXlsb2Fk...kRBVEFfS0VZIn0=
ProxyEndpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
Endpoint : https://123456789012.dkr.ecr.us-west-2.amazonaws.com
ExpiresAt : 9/26/2017 6:08:23 AM
Command : docker login --username AWS --password eyJwYXlsb2Fk...kRBVEFfS0VZIn0= https://123456789012.dkr.ecr.us-west-2.amazonaws.com

Adding this for anyone who needs to configure docker properly on Linux before trying to log into the ECR.
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
And then...
aws ecr get-login-password \
--region <region> | docker login \
--username AWS \
--password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com

I don't think anyone mentioned this but you could also run into this error if you don't have the right permissions set on your IAM user/role.
Specifically, you need to allow the ecr:GetAuthorizationToken action on resource * (since you can't limit this action on a specific resource yet).
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
With this permission granted, you can run either the command:
aws ecr get-login-password --region <region>
Or:
aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' --region <region>
More info:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html

Related

I cant push Docker image to AWS ecr

I'm trying to push a Docker image from Dockerfile built to AWS ECR but when run this command:
$ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
appears the error:
An error occurred (AccessDeniedException) when calling the
GetAuthorizationToken operation: User:
arn:aws:iam::477629773586:user/albertosanmartin is not authorized to
perform: ecr:GetAuthorizationToken on resource: * Error: Cannot
perform an interactive login from a non TTY device
I have installed and configured those files:
~/.aws/configure:
[default]
...
[mrthink]
region = eu-west-1
output = json
~/.aws/credentials
[default]
...
[mrthink]
aws_access_key_id = ****
aws_secret_access_key = ****
Seems to the command api get other user "albertosanmartin"
Anybody could help me please ?
Thanks in advance.
If you have your credentials configured under mrthink profile name in ~/.aws/credentials you need to pass the --profile param to the aws cli
$ aws --profile mrthink ecr get-login-password \
--region eu-west-1 |\
docker login --username AWS \
--password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
The user arn:aws:iam::477629773586:user/albertosanmartin doesnt have access to ECR
You can double-check your credentials via sts get-caller-identity call if they are which you want to use.

AWS ECR Login with podman

Good morning/afternoon/night!
Can you help me, please?
I'm working with RHEL 8.2 and this version doesn't support Docker. I installled Podman and everything was ok until I use the following command:
$(aws ecr get-login --no-include-email --region us-east-1)
But, it doesn't work because it's from Docker (I thought it was from AWS Cli).
The error is:
# $(aws ecr get-login --no-include-email --region us-east-1)
-bash: docker: command not found
I've been searching for an answer and some people used a command like this:
podman login -u AWS -p ....
But I tried some flags and the image, but nothing is working!
What is the equivalent command for podman?
Thanks!
The above command is not associated to docker alone.
It is an AWS cli command to authenticate into the private container image registry(ECR).
Run the below command to get the password for container registry
aws ecr get-login-password --region us-east-1
Then use the password against the below command
podman login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com
This is how the password from aws ecr is piped to podman using AWS CLI. BTW, the username AWS is hardwired and so never needs to be changed:
$ aws ecr get-login-password --region us-east-1 | \
podman login \
--username AWS \
--password-stdin \
<aws_account_id>.dkr.ecr.<region>.amazonaws.com
Podman will use the IAM credentials for the dev profile in ~/.aws/credentials to log into that AWS account:
[default]
aws_access_key_id = ********************
aws_secret_access_key = ****************************************
region = us-east-1
[dev]
aws_access_key_id = ********************
aws_secret_access_key = ****************************************
region = us-east-1
This is how real values can be looked up for profile dev:
$ export AWS_PROFILE=dev
$ AWS_ACCOUNT="$( aws sts get-caller-identity \
--query Account \
--output text
)"
$ AWS_REGION="$( aws configure get region )"
$ aws ecr get-login-password \
--region $AWS_REGION | \
podman login \
--password-stdin \
--username AWS \
$AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com
The above is from my blog post on the subject.

`no basic auth credentials` Github to AWS ECR deployment on git events

I have done setup of Flux for k8s deployment to AWS EKS, for it I have configured Github and k8S with the following:
https://www.weave.works/blog/gitops-with-github-actions-eks
but getting no basic auth credentials
Thanks in advance
You need to login into the ECR Repo using the below command:
aws ecr get-login-password \
--region <region> \
| docker login \
--username AWS \
--password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com
ECR Repository URL : <aws_account_id>.dkr.ecr.region.amazonaws.com
Example :
sh "aws ecr get-login-password --region us-west-1 |
docker login
--username AWS
--password-stdin 09xxxxxxxxxx.dkr.ecr.us-west-1.amazonaws.com"
This command retrieves and displays an authentication token using the GetAuthorizationToken API that you can use to authenticate to an Amazon ECR registry. ~ (Quoted from Amazon Docs)
Reference : https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html

aws ecr saying "Cannot perform an interactive login from a non TTY device" after copied cmd from "Amazon Container Services"

I am trying to set up docker image of amazon ECR on ubuntu18.04 machine of AWS,using commands provided by view push commands of Amazon Container Services
,please note i have already set up docker on my ubuntu18.04 and also output of docker -v is as below
ubuntu#ip-172-31-0-143:~$ docker -v
Docker version 19.03.7, build 7141c199a2
When i execute the command provided by amazon container services on aws cli on ubuntu18.04 i get error as
Error: Cannot perform an interactive login from a non TTY device
The command which i am using is
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 8233251134332.dkr.ecr.us-east-2.amazonaws.com/gatling-lots
please note i have successfully configured awscli and i can see the
detailed from aws s3 ls
Here is detailed error log
ubuntu#ip-172-31-0-143:~$ aws ecr get-login-password --region us-
east-2 | docker login --username AWS --password-stdin
823443336.dkr.ecr.us-west-2.amazonaws.com/gatling-lots
usage: aws [options] <command> <subcommand> [<subcommand> ...]
[parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:
batch-check-layer-availability | batch-delete-image
batch-get-image | complete-layer-upload
create-repository | delete-lifecycle-policy
delete-repository | delete-repository-policy
describe-images | describe-repositories
get-authorization-token | get-download-url-for-layer
get-lifecycle-policy | get-lifecycle-policy-preview
get-repository-policy | initiate-layer-upload
list-images | put-image
put-lifecycle-policy | set-repository-policy
start-lifecycle-policy-preview | upload-layer-part
get-login | help
Error: Cannot perform an interactive login from a non TTY device
output of
ubuntu#ip-172-31-0-143:~$ (aws ecr get-login --no-include-email --region us-east-2)
docker login -u AWS -p
MzQxL2c0Yks4RjVxeDg9IiwidmVyc2lvbiI6IjIiLCJ0eXBlIjoiREFUQV9LRVkiLCJleHBpcmF0aW9uIjoxNTgzNjgzNDY5fQ== https://825251119036.dkr.ecr.us- east-2.amazonaws.com
The problem is not aws but docker. The solution is on docker to use the -p parameter, and wrap the aws login call to the -p parameter as such:
docker login -u AWS -p $(aws ecr get-login-password --region the-region-you-are-in) xxxxxxxxx.dkr.ecr.the-region-you-are-in.amazonaws.com
And this requires AWS CLI version 2.
docker login prints this error message when you use --password-stdin, but don't actually send a password to the command's stdin.
For example:
$ echo "" | docker login --password-stdin --username jorendorff
Error: Cannot perform an interactive login from a non TTY device
Therefore, almost any kind of problem with the command before the | pipe symbol will result in this unhelpful error message.
it took me forever to figure out that the issue was that I forgot to run aws configure and enter the right details. That solved my issue.
You need to install AWS CLI version 2.
Follow the instructions in this Installing or updating the latest version of the AWS CLI
This command does the trick in bash and linux at 2020/10/06:
linux#host:~$ $(aws ecr get-login --no-include-email)
That's because
$ aws ecr get-login --no-include-email
Gives the following output:
docker login -u AWS -p xxxxxxxxxxxxx== https://xxx.dkr.ecr.eu-west-1.amazonaws.com
Devin's answer is correct.
But there is one more way.
The updated version of docker requires this parameter --password-stdin.
aws ecr get-login-password --region <YOUR_REGION> | docker login --username AWS --password-stdin <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com
Below steps are resolve that issue.
$curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
$aws --version
aws-cli/2.0.30 Python/3.7.3 Linux/4.14.181-142.260.amzn2.x86_64 botocore/2.0.0dev34
$aws ecr get-login-password --region your_region | docker login --username AWS --password-stdin Account_ID.dkr.ecr.your_region.amazonaws.com
Replace your Account ID and Region.
I know this question is answered already, but, this was my experience.
This didn't work for me initially.
aws ecr get-login-password --region <your-region>| docker login --username AWS --password-stdin <your-container>
I had the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY saved under variables in GitLab.
But the solution was to uncheck the Protected flag from the variables saved on GitLab. I don't know how secure this approach is, but, it did work for me.
I hope this would help someone one day.
You need to authorize your EC2 machine to access AWS services either by
running aws configure and providing the right details
OR
Give your EC2 machine a role to enable it access ECR
Also if you run your docker commands with sudo, then add sudo before the docker command as shown below
aws ecr get-login-password --region us-west-2 | sudo docker login --username AWS --password-stdin 8233251134332.dkr.ecr.us-east-2.amazonaws.com/gatling-lots
Cheers.
Also remember you cannot log into partitioned regions (cn-* or gov) while using a non-partitioned AWS profile. Add --profile foo to specify a profile with your designated region.
In my case, I forgot to add ECR related policy in my AWS IAM.
To add a policy follow these steps.
The issue I found is AWS CLI v1 vs AWS CLI v2. I resolved this by uninstalling v1 and installing AWS CLI v2.
No worries in this case. Just type 'aws configure' in your terminal and paste the security credentials such as 'aws_access_key_id' and 'aws_secret_access_key'and then type the region of the repository and the output format as 'json'.
It worked for me.
I got this error on Ubuntu 18.04 after my AWS CLI was automatically updated.
I solved it by reverting it back to the previous version using this command:
sudo apt-get install awscli=1.14.44-1ubuntu1 -V
I faced this error after re-starting Docker.
It was solved when I did docker login initially.
Then aws ecr get-login-password --region <your_region> | docker login --username AWS --password-stdin <your_uri>/<your_image> command worked again.
All of the above did not work for me on a windows OS. However, windows (10) was suggesting updates. I applied the Update & Restart and when I executed the login command
aws ecr get-login-password --region **your_region_code** | sudo docker login --username AWS --password-stdin **numeric-account-id**.dkr.ecr.**your-region-code**.amazonaws.com*
Everything worked again normally.
I had the same problem with Atlassian Bamboo, and logging into AWS ECR from an SSH task in a build plan.
I could not run aws configure because of insufficient permissions.
So I solved this by setting the AWS credential variables and then the docker login as proposed by one of the other answers:
export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>
docker login -u AWS -p $(aws ecr get-login-password --region <region>) <accountid>.dkr.ecr.<region>.amazonaws.com
The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY can be created in your AWS profile, Security Credentials section.
Hope this helps someone, and a future me when I forget and come back to find help.
This answer is for similar error getting for github actions. Please try this and let me know if this works
- name: Docker login
uses: docker/login-action#v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}```

Not able to login to AWS ECR Repository through docker login command

Not able to login to AWS ECR Repository through docker login command.
Using command -
docker login REPO_URL
After I enter username and password the result is 401 Unauthorized.
What could be the issue ?
You need to first request for the authorization token from ECR using AWS CLI and then extract the password from it and then, call docker login command.
Refer - https://docs.aws.amazon.com/cli/latest/reference/ecr/get-authorization-token.html
In my case this worked:
aws ecr get-login-password
--region
| docker login
--username AWS
--password-stdin <aws_account_id>.dkr.ecr..amazonaws.com
it was on page
https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
Do this to login: $(aws ecr get-login --no-include-email --region us-east-1)
This worked for me:
aws ecr get-login-password \
--region MYREGION \
| docker login \
--username AWS \
--password-stdin ACCOUNTID.dkr.ecr.MYREGION.amazonaws.com
Copy paste it in the terminal and replace the placeholders (MYREGION and ACCOUNTID)