Docker push to ECR failing with "no basic auth credentials"

This worked fine except for one thing. I have multiple AWS profiles.
The solution for me looked like this:
eval $(aws ecr get-login --no-include-email --profile myprofilename | sed 's|https://||')

Hi. If you already has a repository for your containers at repositories tab here https://eu-west-3.console.aws.amazon.com/ecr/ ,but can’t push - probably you doing something wrong with tagging of container or login issues. For now ecr page service has nice tooltip wich has all available commands step by step that you needed directly for your repository and containers.
To see that tab you need to

  1. Go to the https://eu-west-3.console.aws.amazon.com/ecr/repositories
  2. Select your repository
  3. Click ‘View push commands’ button
  4. Tooptip with commands will appear - try it step by step and see if that solves your problem.

In my case it was typo for container name, but when I followed tooltip commands - it started to work for me!

2 Likes

This step solved my issue

I had this problem too on Windows. When you open the push commands modal on the AWS ECR website it defaults to Mac OS/Linux. The commands will run but don’t actually work. Make sure to switch to the Windows instructions. Worked much better.

Maybe my stupidity will help someone else.

Thanks a lot it worked for me as well !

Before using the push command did you do docker login to AWS from your terminal?
If you are wondering how you can get the login cmd, did you notice that AWS itself generates this command by aws ecr get-login this command?

Do docker login -u AWS -p <hashpassword-from-aws-ecr-cmd>

and do

docker push <ecr-repo-url>

Cheers!

I was running into the same issue, and I figured out that it was because the region I was using in the command was not consistent, so please make sure you are using the same region for each command. The commands that I was using:

  1. $(aws ecr get-login --no-include-email --region ap-southeast-2)
  2. docker build -t rest-sample .
  3. docker tag rest-sample:latest 12345.dkr.ecr.ap-southeast-2.amazonaws.com/xxx/rest-sample:latest
  4. docker push 12345.dkr.ecr.ap-southeast-2.amazonaws.com/xxx/rest-sample:latest

Hope it would help.

That is the answer I was looking for as well. Thx!

#1 install python 3
#2 install pip3
#3 install aws-cli
pip3 install awscli --upgrade --user

#4 configure aws-cli with your IAM access keys, secret and REGION
aws configure

#5 get AWS ECR login
aws ecr get-login

I found that this was an issue with the package of docker installed. On Ubuntu “apt-get install docker” installs the Docker CE. On Centos “yum install docker” installs https://cbs.centos.org/koji/buildinfo?buildID=24652. The versions show completely different packages which is why the docker push (after docker login) was failing. I simply uninstalled docker and installed “yum install docker-ce” and the “no basic auth” error no longer showed up - see details below.

If you have 1.13 you’ll need to re-install to fix the “no basic auth” message when using “docker push”:
[root@container-from-centos]# docker -v
Docker version 1.13.1, build b2f74b2/1.13.1

[root@container-from-ubuntu:16.04]# docker -v
Docker version 18.09.7, build 2d0083d

FROM https://docs.docker.com/v17.09/engine/installation/linux/docker-ce/centos/ AND in a docker centos container do:

  1. yum remove docker docker-common docker-selinux docker-engine
  2. yum-config-manager --add-repo [see documentation for url]
  3. yum install -y docker-ce

Now the version is good and we can push to ECR:
[root@container-from-centos]# docker -v
Docker version 18.09.7, build 2d0083d

  1. aws configure
  2. $(aws ecr get-login | sed -e ‘s/-e none//g’)
  3. docker push [ECR_URI]/foo/bar-image

There have been several replies which seem to solve this problem, but the root of what the OP was looking for appears to be the need to authorize with ECR itself.

Summary of solution, run this at the command line, replace <region> with the region you are using in AWS.

aws ecr get-login --region <region> --no-include-email

this will output a command which you can then copy/paste to authenticate into AWS ECR to push your image. It will look like:

docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com

Link to the docs (AWS ECR registry authorization):
https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth

1 Like

Wow, Thats what i was missing, i am on windows 10 pro, WSL, i tried to use git repo https://github.com/awslabs/amazon-ecr-credential-helper
modified the .docker/config.json it does not work, it worked well with tooltips

How to signup for trial mode? What’s the cost? and is there any software available for cnc machine?

I was having a similar issue and the resolution was to change my ~/.docker/config.json auth section to include https:// to the link to my registry (not amazon.) . By default docker wrote it in the file with no protocol. I think it was trying to use basic authorization because ssl was not specified. I am a new to this so I hope that made sense.

Thanks a lot alexandrchervyak, this worked for me!

I was having a similar issue. In my case I have two AWS profiles and I was using the wrong one (default). So I used the following command first : export AWS_PROFILE=<my-profile-name> and then did the push. Then it worked !

An update to the solutions provided above

The latest version of AWS CLI no longer supports get-login. If you try any of the solutions above you might get the following error message: aws: error: argument operation: Invalid choice.

In AWS CLI version 2 or in v1.17.10 or later, you must use get-login-password in the following way [source]:

aws configure #if you haven't already
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com

This will fix OPs problem.

If you are still using an old version of AWS CLI just follow @dcoffey3296 's great answer:

aws configure #if you haven't already
aws ecr get-login  --region <region>  --no-include-email
#now paste the line returned in the previous command without the '-e none' part. This was deprecated long ago and it won't work with it
1 Like

Hi did you solve it? i have the same issue =(

Attaching policy “AmazonEC2ContainerRegistryPowerUser” to your Code build role “codebuild-PROJECT_NAMEservice-role” should solve the issue.

That tooltip saved me! thx friend