Using AWS's ECR get-login-password and --password-stdin with Powershell

The recommended way to authenticate docker with AWS ECR in order to push/pull images is using the following command:

aws ecr get-login-password --region us-east-1 | 
docker login --username AWS --password-stdin AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com

The problem is that it doesn’t work with powershell, resulting with the following error:

Error response from daemon: login attempt to https://AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/v2/ 
failed with status: 400 Bad Request

It works fine with CMD, but not Powershell. After searching around for solution, I found that the issue is that the first section of the script that gets the password, appends a new line to it, which causes the second part of the script to fail. I searched for a way to strip that new line from the first section with no success. This does not work:

echo $(aws ecr get-login-password --region us-east-1) |
 docker login --username AWS --password-stdin AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com

The only way I can get it working is by splitting the script into two commands, like this:

$password = aws ecr get-login-password --region us-east-1
docker login --username AWS --password $password AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com

The problem is that this approach results in the following warning:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Any ideas/workarounds? Thanks.

1 Like

According the documentation in Powershell the command should be (Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com and requires AWSPowershell to be installed.

2 Likes

Thanks. I was hoping there’s a way without using custom modules.

Nope, just tried it using AWS Powershell Tools and I get the same error. It looks like no matter what you do that first section before the pipe appends the new-line. This doesn’t work:
(Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

but this does:
$password = (Get-ECRLoginCommand).Password
docker login --username AWS --password $password aws_account_id.dkr.ecr.region.amazonaws.com

But then I’m back to square one with the insecure warning: WARNING! Using --password via the CLI is insecure. Use --password-stdin

After wasting hours on this, I’ve finally found a solution. As I mentioned earlier, this works fine in CMD, so I figured I’d try to run CMD from PowerShell. Turns out you can do it like this:
cmd.exe \c "your command"

I then tried this, and it worked:

cmd.exe \c "aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin AWS_ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com"

Can you raise an issue on the Github project of the AWSPowershell module?
If it indeed is a bug, the world would want it to be fixed: Issues · aws/aws-tools-for-powershell · GitHub

As I don’t have access to an ECR registry/repo at the moment, So I can’t test it myself and fill in the details of the issue.

I submitted the issue here: Unable to pipe (Get-ECRLoginCommand).Password to --password-stdin · Issue #270 · aws/aws-tools-for-powershell · GitHub

1 Like