61

I'm trying to push a docker image to the AWS ECR repository using the aws-cli.

  • I just run the get-login command
  • execute the output (which returns login succeeded)
  • then try to push a docker image then I get the message:
    denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.

I don't know whats going wrong, I'm pushing to the right repo, the time on my mac is correct. This was working before, but since I reinstalled my mac and upgraded to macOS Sierra it's not working anymore, so probably related to that.

My aws --version output:

aws-cli/1.11.34 Python/2.7.10 Darwin/16.3.0 botocore/1.4.91

The complete output of the commands I run:

$ aws ecr get-login --region eu-west-1
docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
$ docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
Flag --email has been deprecated, will be removed in 1.13.
Login Succeeded
$ docker push 1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web:latest
The push refers to a repository [1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web]
c1f87971dfa9: Preparing 
2eb644aea3de: Preparing 
9c8843ffe48e: Preparing 
39bb58d049d4: Preparing 
f053bc969599: Preparing 
7169084246b8: Waiting 
bb134a1936fd: Waiting 
184e76848a1c: Waiting 
75c8fcf65748: Waiting 
eb9b9ee1ea58: Waiting 
f4bf35723edd: Waiting 
ddffe1a64b3c: Waiting 
fd1a1154db16: Waiting 
b542e946067a: Waiting 
d49ed2a5e1ed: Waiting 
bb39b980367a: Waiting 
25b8358d062f: Waiting 
997eee521fc7: Waiting 
50b5447183a8: Waiting 
4339b5cb0e1d: Waiting 
3dbd4a53b21b: Waiting 
2bec16216500: Waiting 
b9fd8e264df6: Waiting 
b6ca02dfe5e6: Waiting 
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
Ludo - Off the record
  • 4,280
  • 4
  • 29
  • 23
  • This can also happen when your access ID & key has been deleted and you need to generate a fresh one in eg the IAM console. – tex Jan 19 '18 at 16:03

27 Answers27

51

Neither of solutions above worked for my but I found that when I set region in ecr login command it worked.

aws ecr get-login --region us-west-2

Kamil Wojcik
  • 661
  • 6
  • 4
  • 1
    This solved it for me too. I think the reason in my case was that the ECR I was trying to push to was in a different region to what my default was in `~/.aws/config`. – Malvineous Sep 18 '17 at 11:46
  • For me it was `us-west-1` at the end, instead of `us-west-2`, in line with the user credentials i'd submitted to `aws configure`. – olisteadman Sep 05 '19 at 09:43
  • get-login is deprecated. I added an updated answer here: https://stackoverflow.com/questions/41379808/authorization-token-has-expired-issue-aws-cli-on-macos-sierra/62736623#62736623 – Josh Wolff Jul 05 '20 at 03:51
47

You might just be running the command and not pasting the command that is echo'd out from that command back into the terminal. Easy mistake to make. Once you run:

aws ecr get-login --no-include-email --region us-east-1

It will print out another command to run, you'll need to copy that command and run it in your terminal to authenticate fully.

Or a cool shortcut is to just pipe the echo'd command back into the shell with:
aws ecr get-login --no-include-email --region us-east-1 | sh

Dakota Hipp
  • 629
  • 7
  • 13
  • this works but raises a warning "WARNING! Using --password via the CLI is insecure. Use --password-stdin." – C8H10N4O2 Apr 21 '20 at 00:53
27

Latest versions of Docker use a new credentials storage feature which has a bug where doing a docker login with a URL that specifies a protocol will result in token expiration errors. This issue will be fixed in Docker 1.13.

For the time being, the workaround is to execute your login commands without specifying the protocol.

So in the command blob returned by aws ecr get-login:

docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com

Should be replaced with this:

docker login -u AWS -p AQECAHh....b6Wk -e none 1234567890.dkr.ecr.eu-west-1.amazonaws.com

Omitting the https://should make docker work for the time being.

wkl
  • 68,357
  • 14
  • 154
  • 169
  • Removing the scheme didn't work. When I removed it it didn't login at all, it just hangs. I also tried adding http:// instead of https:// but also didn't work, and tried to add :443 instead of the https:// scheme, but no luck. – Ludo - Off the record Dec 29 '16 at 21:35
  • 3
    It doesn't work for me, with Docker 1.13 on Ubuntu Yakkety. Removing "https://" makes no difference, it says it succeeded but causes the same error when pushing. :( – Serandel Jan 30 '17 at 14:34
  • 1
    This fixed things for me with docker-machine on OS X, client & server version 1.12.6. Thanks! – mdjnewman Jan 31 '17 at 23:16
  • 1
    Did not work for me using the latest Docker Toolbox. (v1.13.1) – mmla Feb 21 '17 at 22:35
  • 1
    Thanks this worked for me. In my deployment script I did the following: aws_login=$(aws ecr get-login) aws_login=${aws_login//https:\/\//} – mattmc Mar 20 '17 at 17:46
  • I'm facing the same problem with elastic beanstalk. When I ssh into the instance and remove 'https://', it works (however elastic beanstalk doesn't persist changes made during an ssh session). Do you know of any method to fix this long-term on beanstalk? Full details: https://forums.aws.amazon.com/message.jspa?messageID=782827 – mjalajel May 08 '17 at 01:10
  • This worked for me too. Setting the region did not work as told by Kamil. – sai karthik Jul 02 '17 at 21:37
13

You need to refresh your authorization token every 12 hours try:

$(aws ecr get-login --no-include-email --region us-east-1) - change region according to your configuration

zooblin
  • 1,436
  • 1
  • 17
  • 25
  • You do not need to refresh your token every 12 hours – Josh Wolff Jul 05 '20 at 03:33
  • The token is valid for 12 hours, but you do not need to refresh it manually every 12 hours. https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html – Josh Wolff Jul 05 '20 at 03:38
9

You get also the message "Your Authorization Token has expired" if you have more than one credentials in ~/.aws/credentials (path depending on your os) and forget to add the --p flag.

Use this command to get login:

aws ecr get-login --region eu-west-1 -p <yourprofilename>
Gordon Bean
  • 3,308
  • 1
  • 26
  • 41
Nik
  • 109
  • 1
  • 3
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/low-quality-posts/17260115) – Tamás Sengel Sep 07 '17 at 09:32
  • Thanks for the feedback. Updated my answer. Hope now it's clear. – Nik Sep 08 '17 at 16:53
  • Whilst this gives you a token, the token is only valid for 12 hours. Which is not good for CI. Is there a way to increase the expiry of the token? – MarzSocks Nov 08 '17 at 09:10
  • it should be either "-p " or "--profile " and not --p like you suggest. – Ludo - Off the record Apr 13 '18 at 11:43
8

Just had the same issue on Linux Mint 18.1 (Ubuntu 16.04) with AWS ECR and latest Docker 17.06.1-ce used via latest Python Docker client 2.5.1. Login worked, push failed.

Removal of ~/.docker/config.json helped. It only contained, probably stale, authorisation token.

I don't think it has something to do with underlying OS. In my case it worked previously and the only change I can recall was upgrade from Ubuntu repo's docker.io 1.12 to Docker repo's docker-ce 17.06.

saaj
  • 17,056
  • 2
  • 75
  • 80
7

This answer worked for me using the AWS CLI v2.0.26

https://github.com/aws/aws-cli/issues/4962#issuecomment-592064025

aws --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com

where us-west-2 is your region and the xxxxxxxxxxxxxx is your account ID found at the beginning of the line below "Repository Name" here: https://us-west-2.console.aws.amazon.com/ecr/create-repository?region=us-west-2

Josh Wolff
  • 1,451
  • 1
  • 12
  • 32
6

I've had luck using eval. For example,

$ aws ecr get-login --region us-east-1 --no-include-email --profile username_env

Didn't work.

$ eval $(aws ecr get-login --region us-east-1 --no-include-email --profile username_env)

Did work.

Ryan
  • 61
  • 1
  • 3
  • Yes, exactly! Actually `aws ecr get-login --no-include-email` just returns the command to login as `docker login -u AWS -p `. In order to run the command `eval $(...)` is necessary. – Akif Jan 27 '20 at 06:05
6

Simple Command:

password=$(aws ecr get-login-password --region us-east-1)
echo $password | docker login --username AWS --password-stdin 787566098823.dkr.ecr.us-east-1.amazonaws.com
Mohamed Jawad
  • 163
  • 2
  • 13
5

The following steps worked for me. First, run

aws ecr get-login --region us-west-2

You will get an output which returns:

docker login -u AWS -p AQECAHh....b6Wk -e none 1234567890.dkr.ecr.eu-west-1.amazonaws.com

Now, remove "-e none" from the above result and run the command again.

You will be able to login successfully.

Now, try pushing your docker image and it will work!

Pavithra Kumaresh
  • 236
  • 3
  • 5
  • 1
    What's the purpose of removing `-e none`? – Ashwani Agarwal Jun 12 '20 at 04:52
  • This only works in CLI v1 and is not the preferred way going forward. Better use the `get-login-password` version which is available from 1.17.10. See https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-ecr-get-login – supernova Dec 15 '20 at 12:29
4

I was also getting the same error, below is the solution I have tried and it is working: 1. Run command: aws ecr get-login --no-include-email --region ap-southeast-1 (change region as per your repository) 2. you will get output something like: docker login -u AWS -p xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== https://youraccountid.dkr.ecr.ap-southeast-1.amazonaws.com

Remove "https://" and then run the command as docker login -u AWS -p xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== youraccountid.dkr.ecr.ap-southeast-1.amazonaws.com

And it will work and you will be able to push the image.

rakhim
  • 61
  • 3
4

In my case the issue was multiple credentials in ~/.aws/credentails so I used --profile

aws ecr get-login --no-include-email --region us-east-2 --profile xxxx

This worked for me.

Chetan kapoor
  • 633
  • 8
  • 12
  • Profile was my issue too. after a long weekend, I forgot that I usually set an env variable and didn't realize that I had forgotten to do it again – tavor999 Aug 26 '19 at 13:58
3

This happened when I was trying to push/pull from a registry in another AWS account. I needed to run get-login with the --registry-ids flag, passing in the ID of the registry I wanted to log into.

spiffytech
  • 5,185
  • 5
  • 36
  • 51
3

I just wanted to post the official migration link as I believe it'll be most up to date if things change:

https://docs.aws.amazon.com/cli/latest/userguide/cliv2-migration.html#cliv2-migration-ecr-get-login

It states

$(aws ecr get-login -no-include-email)

should be replaced by

aws ecr get-login-password | docker login --username AWS --password-stdin MY-REGISTRY-URL

This is due to potential password exposure in the CLI. It's worth mentioning you can migrate to the new method from CLI version 1.17.10 for a smooth migration to 2.X

supernova
  • 880
  • 3
  • 19
2

I was using the stable version of docker for mac Version 1.12

I just upgraded to the beta version Version 1.13.0-rc4-beta34.1 (14853) and now it all works as intended.

So if there are people with the same issue, make sure you use docker for mac version 1.13 or higher, if 1.13 isn't released yet, switch to the beta version.

Ludo - Off the record
  • 4,280
  • 4
  • 29
  • 23
2

Most of the above solutions won't be working if you aws-cli/2.0.0

For me, I have aws-cli/2.0.0 Python/3.8.1 Darwin/19.4.0 botocore/2.0.0dev4

What worked for was to do re-login. If you are on aws-cli/2.0.0 then the following might work for you as well. aws ecr get-login-password |docker login --username AWS --password-stdin $IMAGE_PATH

letsBeePolite
  • 1,831
  • 1
  • 13
  • 31
  • aws-cli/v2 removed flag `--no-include-email`. In my case, I use ECR's TOKEN for Azure Pipeline CICD, it expires everyday that disturbs my CICD flow. Any idea for this case. – Khoa May 20 '20 at 03:45
1

The problem is because the aws ecr get-login command retrieves a token that is valid for a specified registry for 12 hours, and then it prints a docker login command with that authorization token and we are not executing that command that we get back.

We need to execute this printed command to log in to your registry with Docker. In my case , I am using eval to execute the printed command that I get back from the aws ecr get-login like this:

eval $(aws ecr get-login --region eu-west-1 --profile )

umenon
  • 31
  • 4
1

This is the current format I believe, assuming you're trying to get access for Docker:

    aws ecr get-login-password \
    --region REGION \
| docker login \
    --username AWS \
    --password-stdin ACCESS_ID.dkr.ecr.REGION.amazonaws.com
Dylan Reich
  • 1,372
  • 2
  • 11
  • 14
0

I know the post is related to MacOS Sierra, but for those who have the problem on Windows, I performed the following:

1) aws ecr get-login, this command will output a long string

docker login -u AWS -p eyJwYXlsb2FkIjoiUXBnQ2FTV1B6Q1JqZGlH......(Omitted the whole line for better understanding) -e none https://xxxxxxx.dkr.ecr.us-east-1.amazonaws.com.

2) Copy and paste the above line (perhaps -e none won't work, so remove it too). The output will show a warning followed by a success: WARNING! Using --password via the CLI is insecure. Use --password-stdin Login Succeeded

If you need to use a secure way, use the --password-stdin

3) Now you can safely push the image -docker push xxxxxxx.dkr.ecr.us-east-1.amazonaws.com/ecfs-test

0429f33dd264: Pushed
48accfb13167: Pushed
f3bb6dd29c05: Pushed
e58ae65fa4eb: Pushed
3c6037fae296: Pushed
3efd1f7c01f6: Pushed
73b4683e66e8: Pushed
ee60293db08f: Pushed
9dc188d975fd: Pushed
58bcc73dcf40: Pushed
latest: digest: sha256:4354d137733c98a1bc8609d2d2f8e97316373904e size: 2404

Maybe this solution will work on Mac too.

hlopezvg
  • 309
  • 2
  • 5
0

A warning: aws ecr get-login does not appear to connect to AWS servers and appears to work even if you have bad AWS access/secret keys or even if you have forgotten to enter your AWS access/secret keys as environmental variables.

It will still happily give you a long password without providing an error. The message, then, you get from AWS is an expiration error instead of a more correct and helpful "authorization incorrect."

Note: Using aws-cli version 1.11.112.

Mike Biglan MS
  • 1,662
  • 1
  • 18
  • 20
  • Given the AWS CLI needs to call the [GetAuthorizationToken](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_GetAuthorizationToken.html) API action, this doesn't seem to make sense, and I'm unable to reproduce this accordingly, are you? When I deliberately invalidate an access key by changing a character, the AWS CLI 1.16.190 yields the appropriately phrased error message `An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.`. – Steffen Opel Jul 10 '19 at 20:58
0

Another solution variant for this particular error is a missing --registry-ids argument to the aws ecr get-login invocation.

The full get-login invocation would be something like:

eval "$(aws ecr get-login --no-include-email \
  --region us-east-1 \
  --registry-ids 11223344 \
)"

Please substitute your own region and registry ID values.

rud
  • 965
  • 7
  • 22
0

The question mentions that login had succeeded but docker push had failed.

The two possible reasons for the above condition are:

  1. The AWS credentials are expired. Go to the AWS console or use aws-cli to generate a new pair. Store them in the environment or in ~/.aws/credentials file.
  2. You might be using the wrong AWS credentials from a different account. Temporarily set AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY, and AWS_REGION with credentials of account where ECR repository exists.

ECR repositories which are associated with an account works only with those account's credentials

Always make sure which AWS credentials are being used for the operation. Check environment variables and ~/.aws/credentials to confirm it.

Naren Yellavula
  • 5,664
  • 2
  • 27
  • 22
0

This is what worked for me. I was using Docker for Windows. The problem appeared to be with the docker configuration. In particular with how the credentials were stored. If you look in ~/.docker/config.json, it might look something like this:

{
        "auths": {
                "XXXX.dkr.ecr.us-east-1.amazonaws.com": {}
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.5 (windows)"
        },
        "credsStore": "desktop",
        "stackOrchestrator": "swarm"
}

if you delete credStore line and try login in again with

docker login -u AWS -p "XXX...the really long password ehre..XXX" https://XXXX.dkr.ecr.us-east-1.amazonaws.com

, you will should see something like this 

{
        "auths": {
                "XXXX.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "XXX...the really long password ehre..XXX"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.5 (windows)"
        },
        "stackOrchestrator": "swarm"
}

Annoyingly, I have to do this each time, as docker adds the credStore line back in again

erncyp
  • 1,164
  • 12
  • 19
0

I was getting this error because I have multiple profiles. The profile flagged solved it for me:

$(aws ecr get-login --no-include-email --region us-west-2 --profile xxxx)

Michael F
  • 41
  • 4
0

In my case the bellow script worked for aws version aws-cli/2.0.8

    aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ${aws_account_id}.dkr.ecr.${region}.amazonaws.com
onlyme
  • 2,606
  • 2
  • 17
  • 13
0

aws ecr get-login seems not to be supported anymore.

I had to use get-login-password instead:

aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <ACCESS_ID>.dkr.ecr.<REGION>.amazonaws.com
JFW
  • 195
  • 3
  • 5
0

For AWS CLI 2.0 use the following

 aws ecr get-login-password \
    --region <region> \
| docker login \
    --username AWS \
    --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com

from https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html

james.c.funk
  • 445
  • 4
  • 6