我正在尝试将docker映像推送到Amazon ECR注册表。我使用docker客户端docker版本1.9.1,构建a34a1d5。我使用aws ecr get-login -region us-east-1来获得docker登录信用。然后我成功登录这些学分如下:
docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded
但当我试图推动我的图像,我得到以下错误:
$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials
我确保aws用户具有正确的权限。我还确保存储库允许用户推送到它。为了确保这不是一个问题,我将注册表设置为允许所有用户完全访问。没有什么可以改变“no basic auth credentials”错误。我不知道如何开始调试,因为所有的流量都是加密的。
更新
So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.
我遇到这个问题的原因不同:我需要推送到一个与我的AWS帐户不关联的注册表(一个客户的ECR注册表)。客户已经在注册表的权限选项卡下授予了我访问权限,通过添加我的IAM id(例如,arn:aws: IAM::{aws acct#}:user/{Username})作为主体。我试着按常规步骤登录:
$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest
这当然会导致没有基本的认证凭证。事实证明,aws ecr get-login将您登录到与您的登录相关联的注册中心的ecr,这在回顾中是有意义的。解决方案是告诉aws ecr get-login您想登录到哪个注册中心。
$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})
在那之后,docker push工作得很好。
Docker CLI不支持原生IAM鉴权方法。要验证和授权Docker推拉请求,请遵循此步骤。
步骤- 1
检查aws凭证是否正确配置。要配置AWS凭据,运行以下命令并提供AWS凭据。
aws configure
步骤- 2
你可以使用get-login-password将Docker认证到Amazon ECR私有注册表(推荐)
Linux和MSC
aws ecr get-login-password --region <your region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<your region>.amazonaws.com
对于windows
(Get-ECRLoginCommand).Password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.<your region>.amazonaws.com
or
您也可以使用——get-login方法(但是暴露凭据)(不推荐)。
Linux和MAC
$(aws ecr get-login --region <your region> --no-include-email)
对于windows
Invoke-Expression -Command (Get-ECRLoginCommand -Region <your region>).Command
如果你的登录成功,那么你就可以开始了。否则,请参考aws文档查看错误
步骤- 3
将您的映像推到回购
标记你的图像
Docker标签<aws_account_id>.dkr.ecr..amazonaws.com/my-web-app
使用以下命令推送图像。
Docker push <aws_account_id>.dkr.ecr..amazonaws.com/my-web-app
注意:这是基于令牌的登录和生成的授权令牌
仅12H有效
确保您在本地运行Docker的用户就是您最终用于推送映像的用户。对我来说,使用sudo导致了这个问题。从命令中删除sudo可以解决这个问题。希望这能帮助和节省一些人的时间,没有人再犯同样愚蠢的错误。以下是输出,供您参考。
sudo docker push {your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}:{tag-name}
The push refers to repository [{your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}]
f13afaa342eb: Preparing
d01b75ce3235: Preparing
7eaa58141607: Preparing
519e8c5b2557: Preparing
15d4a3a33fec: Preparing
fdbbf41b1ab8: Waiting
4b88ecda5399: Waiting
e23a8e1e773f: Waiting
6623e2cc11cd: Waiting
no basic auth credentials
不带sudo跑步完全没问题
docker push {your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}:{tag-name}
The push refers to repository [{your-account-id}.dkr.ecr.us-east-1.amazonaws.com/{repository-name}]
f13afaa342eb: Pushed
d01b75ce3235: Pushed
7eaa58141607: Pushed
519e8c5b2557: Pushed
15d4a3a33fec: Pushed
fdbbf41b1ab8: Pushed
4b88ecda5399: Pushed
e23a8e1e773f: Pushed
6623e2cc11cd: Pushed
{tag-name}: digest: sha256:5ceaa5bf7605559582960b6d56a8eece9486ce0950bca9dd63a0dcd38a520bf0 size: 4293