Hi,

I’m trying to publish images to AWS ECR, however I’m getting the following error during my jenkins build. Any suggestions? This is docker v4.11.1 running on Windows.

docker run --rm -v C:\Users\build/.aws:/root/.aws -e AWS_DEFAULT_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY amazon/aws-cli ecr get-login-password | docker login --username AWS --password-stdin xxx.dkr.ecr.us-east-1.amazonaws.com
Error saving credentials: error storing credentials - err: exit status 1, out: `error getting credentials - err: exit status 1, out: `A specified logon session does not exist. It may already have been terminated.``

Could you find any relevant issue searching for the error message on the net? Since don’t know much about AWS and someone else later may give you a much better answer, I just leave this link here. Not a Docker issue, but it might give you an idea: “a specified logon session does not exist. it may already have been terminated” - Microsoft Q&A

If AWS requires a token that could be expired too.

Oh it has zero to do with AWS, it’s something in Docker as that it works fine without docker.

e.g.

C:\J\ws\OS>aws ecr get-login-password | docker login --username AWS --password-stdin x.dkr.ecr.us-east-1.amazonaws.com
Login Succeeded

You still use Docker to login, only the standard input is not coming from the output of an other container.
My guess is that the first container using the aws-cli image returns an output containing some special characters that you can or can’t see, but the second container will get a wrong password. Since everything else seems to be the same, this is my only idea for now. Since the output of the docker container is a preprocessed output and does not directly come from the process inside the container, sometimes it contains different line breaks. Since you are working on Windows, I don’t know how Docker Desktop handles these pipes. I had issues with this on Linux too.

Cool thanks. I’ll open a bug with Docker so they can fix it.

Did you confirm my theory? Just to be clear. In case of Linux hosts, I am not sure it was a bug. It was a known issue, but it happened with interactive terminal I think. I don’t have time now, but later I can test my Docker Desktop on Windows after work.

It’s a bug in Docker’s wincred program, swapping that out for ecr-login it doesn’t have the same issue. I filed a bug here Docker login fails with: Error saving credentials: error storing credentials - err: exit status 1, out: `error getting credentials - err: exit status 1, out: A specified logon session does not exist. It may already have been terminated. · Issue #12888 · docker/for-win · GitHub

It is like @rimelek wrote, the | will redirect the ouput to the build runner, and execute the next command on the buid runner - not inside the container. And since you don’t enable the stdout stream, the next command has no input from stdin stream. Of course this is not going to work.

For instance, this would work to have the docker login working in the container (not sure what sense it makes, but it would work):

docker run -ti --rm --entrypoint ""  amazon/aws-cli bash -c 'aws ecr get-login-password | docker login --username AWS --password-stdin xxx.dkr.ecr.us-east-1.amazonaws.com' 

What’s the big picture here? Is it for a linux or windows image? Is the Windows host the build runner or does Jenkins use a docker build runner?

That’s not correct, the pipe works fine. The error as you can see is from wincred not properly supporting windows security when not run from an interactive shell, the whole login process works up until wincred tries to save the token.

You are right, this part is not correct:

I have no idea how I came up with it. Probably I confused it with how stdin works, which requires the -a parameter to work