'docker login ...' to private AWS repo does not populate config.json correctly

Expected behavior

When I attempt to login to our docker registry on AWS, I execute a `docker login …’ command. After this command completes, my ~/.docker/config.json file should be populated with the registry address and an ‘auth’ token. like so:

{
	"auths": {
		"https://xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com": {
			"auth": "abcdefghijklmnopqrstuvwxyz1234567890="
		}
	}
}

When the ~/.docker/config.json is like this, I issue the following command:

docker pull xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/[image]:[tag]

This command works just fine.

Actual behavior

After the ‘docker login …’ command, my ~/.docker/config.json file looks like:

{
	"auths": {
		"https://xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com": {}
	},
	"credsStore": "wincred"
}

When the ~/.docker/config.json is like this, I issue the following command:

docker pull xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/[image]:[tag]

This command yields the following output:

Using default tag: latest
Pulling repository xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-image
unauthorized: authentication required

If I then try to pull and image from the Docker registry, it works just fine:

docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
8ddc19f16526: Pull complete
Digest: sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
Status: Downloaded newer image for busybox:latest

When

Information

My current Docker version is:
Docker version 1.12.0-rc2, build 906eacd, experimental

This is was tried against the following regions on Amazon AWS:
us-east-1
us-west-2

  • the output of:
    • Moby Notification > Diagose & Feedback on Windows
  • a reproducible case if this is a bug, Dockerfiles FTW
  • page URL if this is a docs issue or the name of a man page
  • host distribution and version ( OSX 10.10.x, OSX 10.11.x, Windows, etc )

Steps to reproduce the behavior

  1. On Windows, run ‘docker login …’ against your private registry.
  2. Run ‘docker pull [registry]/[image]:[tag]’

You should get the following error:

Using default tag: latest
Pulling repository xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-image
unauthorized: authentication required

On a related note the entire credential store appears to be ignored by Docker Compose - it cannot find any of our private repos. I have to ‘docker pull’ by hand and then launch the Compose file.

I think this might be a problem with the credentialhelper: https://github.com/docker/docker/issues/22910

Also see: [solved] Unable to docker pull from private gcr repo