`Authorization Token has expired` issue AWS-CLI on MacOS Sierra
I'm trying to push a docker image to the AWS ECR repository using the aws-cli.
- I just run the
get-logincommand - execute the output (which returns
login succeeded) - then try to push a docker image then I get the
message:
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
I don't know whats going wrong, I'm pushing to the right repo, the time on my mac is correct. This was working before, but since I reinstalled my mac and upgraded to macOS Sierra it's not working anymore, so probably related to that.
My aws --version output:
aws-cli/1.11.34 Python/2.7.10 Darwin/16.3.0 botocore/1.4.91
The complete output of the commands I run:
$ aws ecr get-login --region eu-west-1
docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
$ docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
Flag --email has been deprecated, will be removed in 1.13.
Login Succeeded
$ docker push 1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web:latest
The push refers to a repository [1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web]
c1f87971dfa9: Preparing
2eb644aea3de: Preparing
9c8843ffe48e: Preparing
39bb58d049d4: Preparing
f053bc969599: Preparing
7169084246b8: Waiting
bb134a1936fd: Waiting
184e76848a1c: Waiting
75c8fcf65748: Waiting
eb9b9ee1ea58: Waiting
f4bf35723edd: Waiting
ddffe1a64b3c: Waiting
fd1a1154db16: Waiting
b542e946067a: Waiting
d49ed2a5e1ed: Waiting
bb39b980367a: Waiting
25b8358d062f: Waiting
997eee521fc7: Waiting
50b5447183a8: Waiting
4339b5cb0e1d: Waiting
3dbd4a53b21b: Waiting
2bec16216500: Waiting
b9fd8e264df6: Waiting
b6ca02dfe5e6: Waiting
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
Solution 1:
Neither of solutions above worked for my but I found that when I set region in ecr login command it worked.
aws ecr get-login --region us-west-2
Solution 2:
You might just be running the command and not pasting the command that is echo'd out from that command back into the terminal. Easy mistake to make. Once you run:
aws ecr get-login --no-include-email --region us-east-1
It will print out another command to run, you'll need to copy that command and run it in your terminal to authenticate fully.
Or a cool shortcut is to just pipe the echo'd command back into the shell with:aws ecr get-login --no-include-email --region us-east-1 | sh
Solution 3:
Latest versions of Docker use a new credentials storage feature which has a bug where doing a docker login with a URL that specifies a protocol will result in token expiration errors. This issue will be fixed in Docker 1.13.
For the time being, the workaround is to execute your login commands without specifying the protocol.
So in the command blob returned by aws ecr get-login:
docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
Should be replaced with this:
docker login -u AWS -p AQECAHh....b6Wk -e none 1234567890.dkr.ecr.eu-west-1.amazonaws.com
Omitting the https://should make docker work for the time being.
Solution 4:
This answer worked for me using the AWS CLI v2.0.26
https://github.com/aws/aws-cli/issues/4962#issuecomment-592064025
aws --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com
where us-west-2 is your region and the xxxxxxxxxxxxxx is your account ID found at the beginning of the line below "Repository Name" here: https://us-west-2.console.aws.amazon.com/ecr/create-repository?region=us-west-2