Can't push image to Amazon ECR - fails with “no basic auth credentials”

215
votes

I'm trying to push a docker image to an Amazon ECR registry. I'm using docker client Docker version 1.9.1, build a34a1d5. I use aws ecr get-login --region us-east-1 to get the docker login creds. Then I successfully login with those creds as follows: 

docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded

But when I try to push my image I get the following error:

$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing 
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials

I made sure that the aws user had the correct permissions. I also made sure that the repository allowed that user to push to it. Just to make sure that wasn't an issue I set the registry to allow all users full access. Nothing changes the "no basic auth credentials" error. I don't know how to begin to debug this since all the traffic is encrypted.

UPDATE

So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.

30
amazon-web-servicesdockeraws-ecr
You should make that update Bold, underlined and italicised. I also just had that Homer Simpson moment. Thank you!Mike
Thanks for narrowing it down! You saved my day literally!simonso
The same error is given when the repository does not exist. Check whether you created the repo in the right region.Ilia Sidorenko
docs.aws.amazon.com/AmazonECR/latest/userguide/…chrisjlee
Note that you can set up your aws cli to handle multiple user profiles: docs.aws.amazon.com/cli/latest/userguide/…Peter Berg

30 Answers

133
votes

if you run $(aws ecr get-login --region us-east-1) it will be all done for you

Update July 2021:

get-login is now deprecated in version 1 of the AWS CLI. If you're using version 2 of the AWS CLI, you must use get-login-password.

You can pipe the output of get-login-password to your docker login command to authenticate docker to your ECR registry:

aws ecr get-login-password | docker login --username AWS --password-stdin ####.dkr.ecr.us-east-1.amazonaws.com

Now you should be able to docker push and have it go straight to your ECR registry.

59
votes

In my case this was a bug with Docker for Windows and their support for the Windows Credential Manager.

Open your ~/.docker/config.json and remove the "credsStore": "wincred" entry.

This will cause credentials to be written to the config.json directly. You'll have to log in again afterwards.

You can track this bug through the tickets #22910 and #24968 on GitHub.

52
votes

If you use profiles, don't forget to pass --profile=XXX to aws ecr get-login.

44
votes

Update

Since AWS CLI version 2 - aws ecr get-login is deprecated and the correct method is aws ecr get-login-password.

Therefore the correct and updated answer is the following: docker login -u AWS -p $(aws ecr get-login-password --region us-east-1) xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com

32
votes

I had this issue as well. What happened with me was I forgot to run the command that was returned to me after I ran 

aws ecr get-login --region ap-southeast-2

This command returned a big blob, which includes the docker login command right there! I didn't realise. It should return something like this:

docker login -u AWS -p <your_token_which_is_massive> -e none <your_aws_url>

Copy and paste this command & then run your docker push command which looks something like this:

docker push 8888888.blah.blah.ap-southwest-1.amazonaws.com/dockerfilename
16
votes

This should have worked even without opening up the permissions. See the documentation: Private Registry Authentication.

[Edit: actually, I had permissions problems too when doing a second test. See Docker push to AWS ECR private repo failing with malformed JSON).]

Nevertheless I had the same problem; I don't know why, but I successfully used the more long-winded auth mechanism described in the docs for get-authorization-token

AWS CLI and Docker versions:

$ aws --version
aws-cli/1.9.17 Python/2.7.6 Linux/3.16.0-38-generic botocore/1.3.17
$ docker --version
Docker version 1.9.1, build a34a1d5

Get the auth token ('docker password').

aws ecr get-authorization-token --region us-east-1 --output text \
    --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2

Note: My ~/.aws/config specifies a different default region, so I needed to explicitly set --region us-east-1.

Log in interactively (change ############ to your AWS account id):

docker login -u AWS https://############.dkr.ecr.us-east-1.amazonaws.com/
password: <paste the very long password from above>
email: <I left this blank>

Push an image (assuming you've made a docker image test):

docker tag test:latest ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
docker push ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
The push refers to a repository [910732017890.dkr.ecr.us-east-1.amazonaws.com/test] (len: 1)
d5122f58a2e1: Pushed 
7bddbca3b908: Pushed 
latest: digest: sha256:bc0b521fd398bd1a2ef58a289dcb910334608723fd570e7bddb36eacd0060363 size: 4378
15
votes

Try with:

eval $(aws ecr get-login --no-include-email | sed 's|https://||')

before push.

12
votes

If it helps anyone...

My problem was that I had to use the --profile option in order to authenticate with the proper profile from the credentials file.

Next, I had ommitted the --region [region_name] command, which also gave the "no basic auth credentials" error.

The solution for me was changing my command from this:

aws ecr get-login

To this:

aws --profile [profile_name] ecr get-login --region [region_name]

Example:

aws --profile foo ecr get-login --region us-east-1

Hope that helps someone!

9
votes

There's a known bug in the wincred credential manager on Windows. Removing 'https://' from the generated login command solves this.

docker login -u AWS -p <password> <aws_account_id>.dkr.ecr.<region>.amazonaws.com

instead of 

docker login -u AWS -p <password> https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com

See also the troubleshooting page.

8
votes

I experienced the same issue.

Generating new AWS credentials (access keys) and reconfiguring AWS CLI with new credentials resolved the problem.

Earlier, aws ecr get-login --region us-east-1 generated docker login command with invalid EC registry URL.

6
votes
  1. Make sure you have created the ECR registry first.
    Then as per the ECR Push Command Instructions, cut and paste the following commands
  2. Execute the docker login command (eval on Mac/Linux skips the cut-and-paste)
    eval $(aws ecr get-login --region us-east-1)
    add --profile if you use multiple AWS Accounts
    eval $(aws ecr get-login --region us-east-1 --profile your-profile)
  3. docker build -t image-name .
  4. docker tag image-name:latest ############.dkr.ecr.us-east-1.amazonaws.com/image-name:latest
  5. docker push ############.dkr.ecr.us-east-1.amazonaws.com/image-name:latest

In case of error, make sure you run all the commands again! The credentials you get using aws ecr get-login are temporary and will expire.

6
votes

On Windows in PowerShell, use:

Invoke-Expression $(aws ecr get-login --no-include-email)
5
votes

I had this issue with a different cause: I needed to push to a registry not associated with my AWS Account (a client's ECR registry). The client had granted me access under the Permissions tab for the registry, by adding my IAM id (e.g., arn:aws:iam::{AWS ACCT #}:user/{Username}) as a Principal. I tried to login with the usual steps:

$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest

Which of course resulted in no basic auth credentials. As it turns out, aws ecr get-login logs you in to the ECR for the registry associated your login, which makes sense in retrospect. The solution is to tell aws ecr get-login which registry(s) you want to log in to.

$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})

After that, docker push works just fine.

5
votes

In my case, after running aws ecr get-login --no-include-email --region *****, I just copied the output of that command with is of the form docker login -u *** -p ************, and you paste it in the prompt. The pushing went ahead.

5
votes

There has just been an update where get-login was removed from AWS, instead use get-login-password:

sudo docker login -u AWS -p $(aws ecr get-login-password --region <region> - 
-profile <profile>) <account id>.dkr.ecr.eu-north-1.amazonaws.com

Dont forget to remove the --profile flag if using default credentials

4
votes

The AWS documents tell you to execute the following command (for ap-southeast-2 region)

aws ecr get-login --region ap-southeast-2

When I bumped into this issue, it wasn't clear to me based on that docs that you need to enter the result of this command into the terminal and execute it.

Fix that worked for me to was to copy the result to the clipboard with

aws ecr get-login --region ap-southeast-2 | pbcopy

Paste the result into the command line and execute it

4
votes

After run this command:

(aws ecr get-login --no-include-email --region us-west-2)

just run the docker login command from the output

docker login -u AWS -p epJ....

is the way that docker login into ECR

3
votes

The docker command given by aws-cli is little off...

When using docker login, docker will save a server:key pair either in your keychain or ~/.docker/config.json file

If it saves the key under https://7272727.dkr.ecr.us-east-1.amazonaws.com the lookup for the key during push will fail because docker will be looking for a server named 7272727.dkr.ecr.us-east-1.amazonaws.com not https://7272727.dkr.ecr.us-east-1.amazonaws.com.

Use the following command to login: 

eval $(aws ecr get-login --no-include-email --region us-east-1 --profile yourprofile | sed 's|https://||')

Once you run the command you will get 'Login Succeeded' message and then you are good
after that your push command should work

3
votes

This error generally gets thrown if ecr login has failed. I am using windows system and I used "Powershell" in Administrator mode to login to ecr first.

Invoke-Expression $(aws ecr get-login --no-include-email)

This should output "Login succeeded".

3
votes

Docker CLI doesn't support native IAM authentication methods. To authenticate and authorize Docker push and pull requests follow this step.

Step - 1

Check whether aws credentials properly configured or not. To configure AWS credentials run the following command and give your aws credentials.

aws configure

step - 2

you can authenticate Docker to an Amazon ECR private registry with get-login-password (recommended)

linux and msc

aws ecr get-login-password --region <your region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<your region>.amazonaws.com

for windows

(Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.<your region>.amazonaws.com

or

you can also use --get-login method (but expose credentials) (not recommended).

for linux and mac

$(aws ecr get-login --region <your region> --no-include-email)

for windows

Invoke-Expression -Command (Get-ECRLoginCommand -Region <your region>).Command

if you got Login Succeeded then you are good to go. else refer aws docs for error

step - 3

Push your image to repo

  1. Tag your image

    docker tag <aws_account_id>.dkr.ecr..amazonaws.com/my-web-app

  2. Push your image with following command.

    docker push <aws_account_id>.dkr.ecr..amazonaws.com/my-web-app

Note: this is token based login and the generated authorize token valid only for 12H

2
votes

I faced the same issue and the mistake I did was using the wrong repo path

eg: docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest

In the above path this is where I've done the mistake: In "dkr.ecr.us-east-1.amazonaws.com" instead of "west". I was using "east". Once I corrected my mistake, I was able to push the image successfully.

2
votes

Following command works for me:

sudo $(aws ecr get-login --region us-east-1 --no-include-email)

And Then I run these commands:

sudo docker tag e9ae3c220b23(image_id) aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

sudo docker push aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app
2
votes

Just adding to this as in case someone out there is suffering from never Reading The F Manual like me
I followed all the suggested steps from above such as

aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.eu-west-1.amazonaws.com

And always got the no basic auth credentials
I had created a registry named

123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace

and was trying to push an image called alpine:latest

123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine:latest
2c6e8b76de: Preparing
9d4cb0c1e9: Preparing
1ca55f6ab4: Preparing
b6fd41c05e: Waiting
ad44a79b33: Waiting
2ce3c1888d: Waiting
no basic auth credentials

Silly mistake on my behalf as I must create a registry in ecr using the full container path.
I created a new registry using the full container path, not ending on the namespace

123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine

and low and behold pushing to

123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine:latest 
The push refers to repository [123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine]
0c8667b5b: Pushed
730460948: Pushed
1.0: digest: sha256:e1f814f3818efea45267ebfb4918088a26a18c size: 7

works just fine

1
votes

I ran into this issue as well running on OSX. I saw Oliver Salzburg's response and checked my ~/.docker/config.json. It had multiple authorization credentials inside it from the different AWS accounts I have. I deleted the file and after running get-login again it worked.

1
votes

Make sure you use the correct region in aws ecr get-login, it must match the region in which your repository is created.

1
votes

My issue was having multiple AWS credentials; default and dev. Since I was trying to deploy to dev this worked:

$(aws ecr get-login --no-include-email --region eu-west-1 --profile dev | sed 's|https://||')
1
votes

FWIW, Debian 9, Docker version 18.06.1-ce, build e68fc7a:

$(aws ecr get-login | sed 's| -e none | |g')

1
votes

If you use multiple profiles and you need to login to a profile that is not your default one, you need to login with this command:

$(AWS_PROFILE=<YOUR PROFILE> aws ecr get-login --no-include-email --region eu-west-1)
1
votes

There is a very simple way to push docker images to ECR: Amazon ECR Docker Credential Helper. Just install it according to the provided guide, update your ~/.docker/config.json as the following: 

{
    "credsStore": "ecr-login"
}

and you will be able to push/pull your images without docker login.

1
votes

For Mac OSX

TL;DR Make sure your "auths" key matches your credential store key exactly

  • Check your docker config:

cat ~/.docker/config.json

Sample Result:

{
    "auths": {
        "https://55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
    },
    "HttpHeaders": {
        "User-Agent": "Docker-Client/19.03.5 (darwin)"
    },
    "credsStore": "osxkeychain"
}

Notice that the "auths" value is an empty object and docker is using a credential store "osxkeychain".

  • Open Mac's "Keychain Access" app and find the name "Docker Credentials"

enter image description here

Notice the Where: field

  • Make sure the auths key in ~/.docker/config.json matches the Where: field in Keychain Access.

If the auths key in ~/.docker/config.json does NOT match they Where: field in the keychain, you may get a Login Succeeded from docker login... but still get ERROR: Service 'web' failed to build: Get https://55511155511.dkr.ecr.us-east-1.amazonaws.com/v2/path/to/image/latest: no basic auth credentials when you try to pull.

In my case, I needed to add https://

Original

    "auths": {
        "55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
    },

Fixed

    "auths": {
        "https://55511155511.dkr.ecr.us-east-1.amazonaws.com": {}
    },