Can't push image to Amazon ECR - fails with "no basic auth credentials"
I'm trying to push a docker image to an Amazon ECR registry. I'm using docker client Docker version 1.9.1, build a34a1d5. I use aws ecr get-login --region us-east-1 to get the docker login creds. Then I successfully login with those creds as follows:
docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded
But when I try to push my image I get the following error:
$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials
I made sure that the aws user had the correct permissions. I also made sure that the repository allowed that user to push to it. Just to make sure that wasn't an issue I set the registry to allow all users full access. Nothing changes the "no basic auth credentials" error. I don't know how to begin to debug this since all the traffic is encrypted.
UPDATE
So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.
if you run $(aws ecr get-login --region us-east-1) it will be all done for you
Update July 2021:
get-login is now deprecated in version 1 of the AWS CLI. If you're using version 2 of the AWS CLI, you must use get-login-password.
You can pipe the output of get-login-password to your docker login command to authenticate docker to your ECR registry:
aws ecr get-login-password | docker login --username AWS --password-stdin ####.dkr.ecr.us-east-1.amazonaws.com
Now you should be able to docker push and have it go straight to your ECR registry.
In my case this was a bug with Docker for Windows and their support for the Windows Credential Manager.
Open your ~/.docker/config.json and remove the "credsStore": "wincred" entry.
This will cause credentials to be written to the config.json directly. You'll have to log in again afterwards.
You can track this bug through the tickets #22910 and #24968 on GitHub.
If you use profiles, don't forget to pass --profile=XXX to aws ecr get-login.
Update
Since AWS CLI version 2 - aws ecr get-login is deprecated and the correct method is aws ecr get-login-password.
Therefore the correct and updated answer is the following:
docker login -u AWS -p $(aws ecr get-login-password --region us-east-1) xxxxxxxx.dkr.ecr.us-east-1.amazonaws.com
I had this issue as well. What happened with me was I forgot to run the command that was returned to me after I ran
aws ecr get-login --region ap-southeast-2
This command returned a big blob, which includes the docker login command right there! I didn't realise. It should return something like this:
docker login -u AWS -p <your_token_which_is_massive> -e none <your_aws_url>
Copy and paste this command & then run your docker push command which looks something like this:
docker push 8888888.blah.blah.ap-southwest-1.amazonaws.com/dockerfilename