Docker Community Forums

Share and learn in the Docker community.

Docker registry error AWS S3 CloudFront

Expected behavior

Pulling images on docker private registry from AWS S3 using CloudFront.

Actual behavior

To push images is working fine. When I tried to pull the same image, it gives me this error:

error pulling image configuration: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>XXXXXX</RequestId><HostId>XXXXXXXX</HostId></Error>"

Additional Information

 Running: 1
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 1.12.6
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 7
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: host bridge overlay null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options:
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.963 GiB
Name: registry
ID: XX:XX:XX:XX:XX:XX
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Insecure Registries:
 127.0.0.0/8 ```

I have this config.yml:

```version: 0.1
log:
  level: debug
  fields:
    service: registry
storage:
  s3:
    accesskey: XXXXXXXXXXXXXXX
    secretkey: XXXXXXXXXXXXXXX
    region: XXXX
    bucket: XXXXXXXXXXX
    encrypt: true
    keyid: XXXXXXX-XXXXXX-XXXXXX-XXXXX
    v4auth: true
    secure: true
  cache:
    blobdescriptor: inmemory
middleware:
  storage:
    - name: cloudfront
      options:
        baseurl: XXXXXXXXXXX
        privatekey: /etc/docker/pk-XXXXXXXXXXXXXXX.pem
        keypairid:XXXXXXXXXXXXXXXXXXXX
        duration: 3000s
http:
  addr: 0.0.0.0:5000 ```


I read the documentation from docker: `https://docs.docker.com/registry/storage-drivers/s3/`
On AWS side I applied the recommendations settings from docs.
On google, I did not find something that can help me.
Could you please tell me what I'm missing?

Thank you!