Docker Community Forums

Share and learn in the Docker community.

Docker login to AWS ECR fails


(Davidmichaelkarr) #1

I’ve been stepping through a course titled “Scaling Docker for AWS”. I already use Docker for various applications within our corp network, using our private registry.

I’m using Docker 1.12.6.

At this point in the course, I’m running “aws ecr get-login” to get the docker login command line.

This gives me the following slightly elided command line:

docker login -u AWS -p ... -e none https://373103611276.dkr.ecr.us-west-2.amazonaws.com

When I run this from within our corp network, I get this:

Error response from daemon: Get https://373103611276.dkr.ecr.us-west-2.amazonaws.com/v1/users/: dial tcp 35.161.12.174:443: i/o timeout

I used “nslookup” on that fqhn, and I found that that IP address was one of three IP addresses associated with it.

I then tried doing a direct “curl” call to the given URL (adding “/v1/users/” to the end), passing the user/password as above, including “-v” for verbose output. This showed that it made a successful connection, but returned a 404.

Note that I did this within our corp firewall. I did try to change my connection, connecting to a non-corp wifi router that I know works, then editing the “http-proxy.conf” in “docker.service.d”, commenting out the two environment variable settings for http_proxy and https_proxy, and then reloading daemon and restarting the docker service and then redoing my test. The result was about the same.

What can I do to resolve this, or to get more information?


(Davidmichaelkarr) #2

I finally figured this out. What I didn’t mention in this note is that I’m doing this in a VirtualBox VM.

The only way this can work at all is if I connect without the corp firewall, using the hotspot on my phone. What I didn’t realize is that when I connect with that, I also have to change the networking connection on the VM. Within the corp firewall, it has to be NAT, but when I’m not in the corp network, it has to be bridged. Once I unset my proxy env vars, I was able to generate and successfully complete the aws ecr docker login command.


(Goffinf) #3

Just use the ECR Credentials Helper, it will take care of the login and ensure that you always have an up-to-date token (as you are no doubt aware these are valid for 12 hours). Really straightforward to configure the docker daemon for your ECR account or multiple accounts if you have them. Once configured, any time after that you do a pull or push of an image in your account namespace it will automatically engage the helper. If you combine that with an IAM profile and your ECR repo policies you can create a highly s cure but very easy to use set of repos.

HTHs

Fraser.