Can't push image to Amazon ECR - fails with "no basic auth credentials"

I'm trying to push a docker image to an Amazon ECR registry. I'm using docker client Docker version 1.9.1, build a34a1d5. I use "aws ecr get-login --region us-east-1" to get the docker login creds. I then successfully login with those creds as follows:

docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded

But when I try to push my image I get the following error:

$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing 
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials

I made sure that the aws user had the correct permissions. I also made sure that the repository allowed that user to push to it. Just to make sure that wasn't an issue I set the registry to allow all users full access. Nothing changes the "no basic auth credentials" error. I don't know how to begin to debug this since all the traffic is encrypted.

UPDATE

So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.

Answers


if you run $(aws ecr get-login --region us-east-1) it will be all done for you


In my case this was a bug with Docker for Windows and their support for the Windows Credential Manager.

Open your ~/.docker/config.json and remove the "credsStore": "wincred" entry.

This will cause credentials to be written to the config.json directly. You'll have to log in again afterwards.

You can track this bug through the tickets #22910 and #24968 on GitHub.


If you use profiles, don't forget to pass --profile=XXX to aws ecr get-login.


I had this issue as well. What happened with me was I forgot to run the command that was returned to me after I ran

aws ecr get-login --region ap-southeast-2

This command returned a big blob, which includes the docker login command right there! I didn't realise. It should return something like this:

docker login -u AWS -p <your_token_which_is_massive> -e none <your_aws_url>

Copy and paste this command & then run your docker push command which looks something like this:

docker push 8888888.blah.blah.ap-southwest-1.amazonaws.com/dockerfilename

This should have worked even without opening up the permissions. See the documentation: Private Registry Authentication.

[Edit: actually, I had permissions problems too when doing a second test. See Docker push to AWS ECR private repo failing with malformed JSON).]

Nevertheless I had the same problem; I don't know why, but I successfully used the more long-winded auth mechanism described in the docs for get-authorization-token

AWS CLI and Docker versions:

$ aws --version
aws-cli/1.9.17 Python/2.7.6 Linux/3.16.0-38-generic botocore/1.3.17
$ docker --version
Docker version 1.9.1, build a34a1d5

Get the auth token ('docker password').

aws ecr get-authorization-token --region us-east-1 --output text \
    --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2

Note: My ~/.aws/config specifies a different default region, so I needed to explicitly set --region us-east-1.

Log in interactively (change ############ to your AWS account id):

docker login -u AWS https://############.dkr.ecr.us-east-1.amazonaws.com/
password: <paste the very long password from above>
email: <I left this blank>

Push an image (assuming you've made a docker image test):

docker tag test:latest ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
docker push ############.dkr.ecr.us-east-1.amazonaws.com/test:latest
The push refers to a repository [910732017890.dkr.ecr.us-east-1.amazonaws.com/test] (len: 1)
d5122f58a2e1: Pushed 
7bddbca3b908: Pushed 
latest: digest: sha256:bc0b521fd398bd1a2ef58a289dcb910334608723fd570e7bddb36eacd0060363 size: 4378

Try with:

eval $(aws ecr get-login --no-include-email | sed 's|https://||')

before push.


If it helps anyone...

My problem was that I had to use the --profile option in order to authenticate with the proper profile from the credentials file.

Next, I had ommitted the --region [region_name] command, which also gave the "no basic auth credentials" error.

The solution for me was changing my command from this:

aws ecr get-login

To this:

aws --profile [profile_name] ecr get-login --region [region_name]

Example:

aws --profile foo ecr get-login --region us-east-1

Hope that helps someone!


There's a known bug in the wincred credential manager on Windows. Removing 'https://' from the generated login command solves this.

docker login -u AWS -p <password> <aws_account_id>.dkr.ecr.<region>.amazonaws.com

instead of

docker login -u AWS -p <password> https://<aws_account_id>.dkr.ecr.<region>.amazonaws.com

See also the troubleshooting page.


I experienced the same issue.

Generating new AWS credentials (access keys) and reconfiguring AWS CLI with new credentials resolved the problem.

Earlier, aws ecr get-login --region us-east-1 generated docker login command with invalid EC registry URL.


  1. Make sure you have created the ECR registry first. Then as per the ECR Push Command Instructions, cut and paste the following commands
  2. Execute the docker login command (eval on Mac/Linux skips the cut-and-paste) eval $(aws ecr get-login --region us-east-1) add --profile if you use multiple AWS Accounts eval $(aws ecr get-login --region us-east-1 --profile your-profile)
  3. docker build -t image-name .
  4. docker tag image-name:latest ############.dkr.ecr.us-east-1.amazonaws.com/image-name:latest
  5. docker push ############.dkr.ecr.us-east-1.amazonaws.com/image-name:latest

In case of error, make sure you run all the commands again! The credentials you get using aws ecr get-login are temporary and will expire.


In my case, after running aws ecr get-login --no-include-email --region *****, I just copied the output of that command with is of the form docker login -u *** -p ************, and you paste it in the prompt. The pushing went ahead.


The AWS documents tell you to execute the following command (for ap-southeast-2 region)

aws ecr get-login --region ap-southeast-2

When I bumped into this issue, it wasn't clear to me based on that docs that you need to enter the result of this command into the terminal and execute it.

Fix that worked for me to was to copy the result to the clipboard with

aws ecr get-login --region ap-southeast-2 | pbcopy

Paste the result into the command line and execute it


I had this issue with a different cause: I needed to push to a registry not associated with my AWS Account (a client's ECR registry). The client had granted me access under the Permissions tab for the registry, by adding my IAM id (e.g., arn:aws:iam::{AWS ACCT #}:user/{Username}) as a Principal. I tried to login with the usual steps:

$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest

Which of course resulted in no basic auth credentials. As it turns out, aws ecr get-login logs you in to the ECR for the registry associated your login, which makes sense in retrospect. The solution is to tell aws ecr get-login which registry(s) you want to log in to.

$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})

After that, docker push works just fine.


After run this command:

(aws ecr get-login --no-include-email --region us-west-2)

just run the docker login command from the output

docker login -u AWS -p epJ....

is the way that docker login into ECR


I ran into this issue as well running on OSX. I saw Oliver Salzburg's response and checked my ~/.docker/config.json. It had multiple authorization credentials inside it from the different AWS accounts I have. I deleted the file and after running get-login again it worked.


I faced the same issue and the mistake I did was using the wrong repo path

eg: docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest

In the above path this is where I've done the mistake: In "dkr.ecr.us-east-1.amazonaws.com" instead of "west". I was using "east". Once I corrected my mistake, I was able to push the image successfully.


My issue was having multiple AWS credentials; default and dev. Since I was trying to deploy to dev this worked:

$(aws ecr get-login --no-include-email --region eu-west-1 --profile dev | sed 's|https://||')

FWIW, Debian 9, Docker version 18.06.1-ce, build e68fc7a:

$(aws ecr get-login | sed 's| -e none | |g')


If you use multiple profiles and you need to login to a profile that is not your default one, you need to login with this command:

$(AWS_PROFILE=<YOUR PROFILE> aws ecr get-login --no-include-email --region eu-west-1)

On Windows in PowerShell, use:

Invoke-Expression $(aws ecr get-login --no-include-email)

The docker command given by aws-cli is little off...

When using docker login, docker will save a server:key pair either in your keychain or ~/.docker/config.json file

If it saves the key under https://7272727.dkr.ecr.us-east-1.amazonaws.com the lookup for the key during push will fail because docker will be looking for a server named 7272727.dkr.ecr.us-east-1.amazonaws.com not https://7272727.dkr.ecr.us-east-1.amazonaws.com.

Use the following command to login:

eval $(aws ecr get-login --no-include-email --region us-east-1 --profile yourprofile | sed 's|https://||')

Once you run the command you will get 'Login Succeeded' message and then you are good after that your push command should work


Following command works for me:

sudo $(aws ecr get-login --region us-east-1 --no-include-email)

And Then I run these commands:

sudo docker tag e9ae3c220b23(image_id) aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

sudo docker push aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

we also encounter this issue today and tried everything mentionned in this post (except generating AWS credentials).

We finally solved the problem by simply upgrading Docker, then the push worked.

The problem was encountered with Docker 1.10.x and was solved with Docker 1.11.x.

Hope this helps


If you are isolating AWS Accounts for CI/CD purpose and having one ECR repository shared among multiple AWS Accounts, you might need to change the ~/.docker/config.json manually.

Let's say you have these setups:

  1. ECR is owned by AWS Account ID 00000000000000
  2. CI server is owned by AWS Account ID 99999999999999

If you call aws ecr get-login --region us-west-2 | bash within your CI server, docker will generate temporary credentials in ~/.docker/config.json.

{
  "auths": {
    "https://99999999999999.dkr.ecr.us-west-2.amazonaws.com": {
      "auth": "long-token.."
    }
  }
}

But you want to point to the ECR's account, so you need to change the hostname.

{
  "auths": {
    "https://00000000000000.dkr.ecr.us-west-2.amazonaws.com": {
      "auth": "long-token.."
    }
  }
}

Note this situation relies how you form IAM user / policy to allow ECR access.


You have to make sure you have logged in using correct credentials, See the offical error description and checks here

http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html

Fixing "no basic authentication" is described in the link


Make sure you use the correct region in aws ecr get-login, it must match the region in which your repository is created.


aws ecr get-login --region us-west-1 --no-include-email

This command gives me correct command to login. If you dont use "--no-include-email",it will throw another error. Output of the above command looks like this docker login -u AWS -p **********************very big******. Copy that and execute it. Now it will show "Login Succeeded". Now you can push your image to ECR.

Make sure that your AMI rule has the permission for the user you tried to login.


Simply run whatever returned in step one would fix the issue.


That error message is coming from docker and it not necessarily related to AWS as I have gotten same error when not using AWS ... its just saying docker is not getting authorization to proceed from whatever source of auth it happens to be using

In my case, in test I removed directory ~/.docker and got that error ... after I bounced my local docker registry then docker push was fine


In my case (and probably in all cases), this error resulted from having multiple AWS accounts. So, AWS ECR is not using the right aws credentials assosciated with the aws account.

I tried multiple solutions mentioned here, but did not succeed. It worked after using tokens instead of username and password. I got it working following the instructions here. https://btburnett.com/2017/01/docker-login-for-amazon-aws-ecr-using-windows-powershell.html


Need Your Help

Log4Net "Could not find schema information" messages

web-services logging schema web-config log4net

I decided to use log4net as a logger for a new webservice project. Everything is working fine, but I get a lot of messages like the one below, for every log4net tag I am using in my web.config: