Docker push to ECR failing with "no basic auth credentials"

Hi guys, I’m pretty new to Docker and AWS’s ECR however, I’m stuck at pushing a Docker image to a repository I’ve created in AWS.

docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest
The push refers to a repository [xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins]
0fa94963ca33: Preparing
d5a08e31d0b0: Preparing
e726a835dee1: Preparing
9caddb0afad8: Preparing
b991ba946d1e: Preparing
2b6e8b3ec89c: Preparing
9b5807c51cc3: Preparing
2e72cd7de4f4: Preparing
31bc90a229cc: Preparing
c5dda694f21c: Waiting
de174b528b56: Waiting
579acd833b28: Waiting
2c969ffc364b: Waiting
122dbad0a7b2: Waiting
446c0d4b63e5: Waiting
338cb8e0e9ed: Waiting
d1c800db26c7: Waiting
42755cf4ee95: Waiting
no basic auth credentials

Docker login works
I believe I have given my user the correct permissions in AWS
I can create a repository in AWS ok: aws ecr create-repository --repository-name jenkins (for example) so I know I’m authenticated to my AWS account (and region) correctly. However, I can’t seem top push ANY images to AWS ECR. Fails every time with “no basic auth credentials”

Can anyone help or point me in the right direction ?

NB. My AWS environment variables are correct.

Thanks,
Tim

3 Likes

I just had the same issue. Solution was to adjust the ~/.docker/config.json to the following format:
{
“auths”: {
https://12345.dkr.ecr.eu-central-1.amazonaws.com”: {
“auth”: “QErf24…”
}
}
}

1 Like

Your problem is that the docker command given by aws-cli is slightly off.

When using docker login, docker will save a server:key pair either in your ~.docker/config or your keychain.

If it saves the key under “https://12345.dkr.ecr.eu-central-1.amazonaws.com” the lookup for the key during push will fail because docker will be looking for a server named “12345.dkr.ecr.eu-central-1.amazonaws.comnothttps://12345.dkr.ecr.eu-central-1.amazonaws.com”.

The solution therefore is to use the following wrapper to log in:
eval $(aws ecr get-login | sed 's|https://||')

This command gets the login command, replaces https:// with `` (empty string) and evaluates the resulting command. This will store the received key under the correct server and you can use it for docker push.

5 Likes

I would really encourage you to move to an External Credential Store as the .docker/config saves your passwords in cleartext.
see http://www.projectatomic.io/blog/2016/03/docker-credentials-store/

I faced the same issue and the mistake I did was using the wrong repo path
eg: docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest

In the above path this is where I’ve done the mistake: “dkr.ecr.us-east-1.amazonaws.com” instead of “west”. I was using “east”. Once I corrected my mistake, I was able to push the image succesfully.

1 Like

Hi Guys, I got into the same issue like the other guys mentioned above. I’m getting “no basic auth credentials” when I tried to push my docker images to AWS ECR. I’m using docker toolbox -version 1.13.0, build 49bf474 on Windows 7. I followed the below steps to configure my docker cli with AWS ECR.

aws ecr get-login --registry-ids

docker login -u AWS -p -e none https://.dkr.ecr.us-west-2.amazonaws.com

I see the message “Login succeeded”. Also, config.json got updated with this auth key.

When I tried push the docker image using docker --config=config.json push .dkr.ecr.us-west-2.amazonaws.com/imagename:version, it failed with “no basic auth credentials”

23c0d04a137: Waiting
fe4c16cbf7a4: Waiting
no basic auth credentials

Can someone help me this problem?

2 Likes

the credentials are the problem, the solution is to set them. in the error messages you may notice the statement that says run aws credentials. I just spotted it on my terminal!
try aws configure

To me the problem was the other way arround. I had to add “https://”, not remove it.

adding --no-include-email as: eval $(aws ecr get-login --no-include-email | sed 's|https://||') did it for me

5 Likes

Just run the command given and it will work greatly. Thanks

eval $(aws ecr get-login --no-include-email | sed ‘s|https://||’)

I got that issue no basic auth credentials after upgraded to latest macOS HIGH SIERRA.

my docker config file look like:
{ "credsStore" : "ecr-login" }

So What i did:
cd amazon-ecr-credential-helper && make docker TARGET_GOOS=darwin

After it will run it will gives you somthing like

docker run --rm \ -e TARGET_GOOS=darwin \ -e TARGET_GOARCH= \ -v /Users/sunnychauhan/amazon-ecr-credential-helper/bin:/go/src/github.com/awslabs/amazon-ecr-credential-helper/bin \ sha256:e2912bdc1c49ee05ab91b2654f3b3aff57a96c784cc41cf90174632db560a743 . ./scripts/shared_env && ./scripts/build_binary.sh ./bin/local Built ecr-login

And It worked like charm.

2 Likes

This command also worked for me. I had to put --no-include-email and --region options as well.

FWIW it happened to me as well but I was using the wrong credentials. Adding --profile to the login command solved it for me.

I wasn’t able to resolve credentials in my CircleCI project. There is a special configuration section for AWS:

If it not too late, after scratching my head around this issue, the solution was just to copy and paste the output of aws ecr get-login --no-include-email --region ***** which of the form docker *** and some very long alpha-numeric passphrase. It is kind of like your credentials for your repo. Do not put your DockerHub credentials as it won’t just work.

Steps to set up Credential helper on Ubuntu.

This assumes, you have docker installed and AWS credentials available at: ~/.aws/credentials file

  1. Clone the git repository https://github.com/awslabs/amazon-ecr-credential-helper.git
  2. cd to the cloned folder “amazon-ecr-credential-helper”
  3. run the command on terminal “make docker”
  4. it will create the binary “./bin/local/docker-credential-ecr-login”
  5. Copy this binary to /usr/bin/lib with the command " sudo cp ./bin/local/docker-credential-ecr-login /usr/bin/lib/docker-credential-ecr-login
  6. Create or modify the docker config.json file available at /.docker/config.json with the below content
  {
      "credsStore": "ecr-login"
   }

then try pushing the docker image to AWS ECR repository

Ravneet Arora(DevOps)

1 Like

That solved it for me. Great

After run this command:

(aws ecr get-login --no-include-email --region us-west-2)

just run the docker login command from de output

docker login -u AWS -p epJ....

is the way that docker login into ECR

2 Likes

Yes this is a root cause. Worked for me by this.Spended couple of hours on this.

on mac OS X removing this “credsStore”: “osxkeychain”. from config.json worked for me.
@Thank you all.