Docker Community Forums

Share and learn in the Docker community.

Docker buildx 401 Unauthorized exporting to image


I’m having an issue trying to do a docker buildx build and push to an ECR private repository. I created by buildx builder with:
docker buildx create --name mybuilder --driver docker-container --driver-opt image=moby/buildkit:v0.9.3 --platform linux/arm64,linux/amd64 --use

For my docker build I do:
docker buildx build --platform linux/arm64,linux/amd64 --no-cache --build-arg MYIMAGE=myimage -t my-repo:1.1.1 --push .
My build runs for about 10 min and eventually errors out after pushing layers with:

ERROR: unexpected status: 401 Unauthorized
> exporting to image:
error: failed to solve: unexpected status: 401 Unauthorized

Thought by supplying the --driver-opt image=moby/buildkit:v0.9.3 would fix this, but doesn’t look like it is working. Has anyone had any luck resolving this error? Any help would be greatly appreciated.

Have you used docker login to login to the ECR registry?

The ECR authorization token received by aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION} expires after 12 hours. Also make sure your IAM user/role has the priviliges in place to push images and that the repo exists in your accounts private ECR registry.

1 Like

Thanks for the replies! So looks like how I was logging into ECR was the issue. Using aws ecr get-login-password | docker login works compared to what I was previously using which was aws ecr get-login. What’s strange though is that I’m using the aws ecr get-login with buildx in another project and it works fine. This particular project has a longer build time, but no where near 12 hours.

The only explaination I can see is that the old project used the aws-cli 1.x, while you current project uses aws-cli 2.x.
aws ecr get-login is deprecated since 1.17.10
aws ecr get-login-password is available in version 2 or in v1.17.10+