我正在尝试将docker映像推送到Amazon ECR注册表。我使用docker客户端docker版本1.9.1,构建a34a1d5。我使用aws ecr get-login -region us-east-1来获得docker登录信用。然后我成功登录这些学分如下:
docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded
但当我试图推动我的图像,我得到以下错误:
$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials
我确保aws用户具有正确的权限。我还确保存储库允许用户推送到它。为了确保这不是一个问题,我将注册表设置为允许所有用户完全访问。没有什么可以改变“no basic auth credentials”错误。我不知道如何开始调试,因为所有的流量都是加密的。
更新
So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.
我遇到这个问题的原因不同:我需要推送到一个与我的AWS帐户不关联的注册表(一个客户的ECR注册表)。客户已经在注册表的权限选项卡下授予了我访问权限,通过添加我的IAM id(例如,arn:aws: IAM::{aws acct#}:user/{Username})作为主体。我试着按常规步骤登录:
$(aws ecr get-login --region us-west-2 --profile profilename)
docker push {Client AWS ACCT #}.dkr.ecr.us-west-1.amazonaws.com/imagename:latest
这当然会导致没有基本的认证凭证。事实证明,aws ecr get-login将您登录到与您的登录相关联的注册中心的ecr,这在回顾中是有意义的。解决方案是告诉aws ecr get-login您想登录到哪个注册中心。
$(aws ecr get-login --region us-west-2 --profile profilename --registry-ids {Client AWS ACCT #})
在那之后,docker push工作得很好。
如果为了CI/CD目的隔离AWS帐户,并且在多个AWS帐户之间共享一个ECR存储库,则可能需要更改~/.docker/配置。手动json。
假设你有这些设置:
ECR由AWS帐户ID 00000000000000拥有
CI服务器属于AWS帐户ID 99999999999999
如果您在CI服务器中调用aws ecr get-login——region us-west-2 | bash, docker将在~/.docker/config.json中生成临时凭证。
{
"auths": {
"https://99999999999999.dkr.ecr.us-west-2.amazonaws.com": {
"auth": "long-token.."
}
}
}
但是您希望指向ECR的帐户,因此需要更改主机名。
{
"auths": {
"https://00000000000000.dkr.ecr.us-west-2.amazonaws.com": {
"auth": "long-token.."
}
}
}
注意,这种情况取决于您如何形成IAM用户/策略以允许ECR访问。
这只是为了防止有人像我一样从来没有读过F手册
我遵循了上面建议的所有步骤,比如
aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 123456789.dkr.ecr.eu-west-1.amazonaws.com
而且总是没有基本的认证证书
我创建了一个名为
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace
并试图推广一个叫alpine:latest的图片
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine:latest
2c6e8b76de: Preparing
9d4cb0c1e9: Preparing
1ca55f6ab4: Preparing
b6fd41c05e: Waiting
ad44a79b33: Waiting
2ce3c1888d: Waiting
no basic auth credentials
愚蠢的错误在我的代表,因为我必须创建一个注册表在ecr使用完整的容器路径。
我使用完整的容器路径创建了一个新的注册中心,而不是在名称空间上结束
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine
又低又快
123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine:latest
The push refers to repository [123456789.dkr.ecr.eu-west-1.amazonaws.com/my.registry.com/namespace/alpine]
0c8667b5b: Pushed
730460948: Pushed
1.0: digest: sha256:e1f814f3818efea45267ebfb4918088a26a18c size: 7
工作很好
