我正在尝试将docker映像推送到Amazon ECR注册表。我使用docker客户端docker版本1.9.1,构建a34a1d5。我使用aws ecr get-login -region us-east-1来获得docker登录信用。然后我成功登录这些学分如下:

docker login -u AWS -p XXXX -e none https://####.dkr.ecr.us-east-1.amazonaws.com
WARNING: login credentials saved in /Users/ar/.docker/config.json
Login Succeeded

但当我试图推动我的图像,我得到以下错误:

$ docker push ####.dkr.ecr.us-east-1.amazonaws.com/image:latest
The push refers to a repository [####.dkr.ecr.us-east-1.amazonaws.com/image] (len: 1)
bcff5e7e3c7c: Preparing 
Post https://####.dkr.ecr.us-east-1.amazonaws.com/v2/image/blobs/uploads/: no basic auth credentials

我确保aws用户具有正确的权限。我还确保存储库允许用户推送到它。为了确保这不是一个问题,我将注册表设置为允许所有用户完全访问。没有什么可以改变“no basic auth credentials”错误。我不知道如何开始调试,因为所有的流量都是加密的。

更新

So I had a bit of Homer Simpson D'Oh moment when I realized the root cause of my problem. I have access to multiple AWS accounts. Even though I was using aws configure to set my credentials for the account where I had setup my repository the aws cli was actually using the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. So when I did aws ecr get-login it was returning a login for the wrong account. I failed to notice that the account numbers were different until I just went back now to try some of the proposed answers. When I remove the environment variables everything works correctly. I guess the motto of the story is if you hit this error, make sure that the repository you are logging into matches the tag you have applied to the image.


当前回答

我在Docker论坛上发布了一个答案。在我的案例中,问题是centos“docker”不等同于docker CE,因此失败了:

没有基本认证

我只是通过在centos上安装“docker-ce”来修复。

参考:https://forums.docker.com/t/docker-push-to-ecr-failing-with-no-basic-auth-credentials/17358/30

其他回答

以下命令适用于我:

sudo $(aws ecr get-login --region us-east-1 --no-include-email)

然后我运行这些命令:

sudo docker tag e9ae3c220b23(image_id) aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

sudo docker push aws_account_id.dkr.ecr.region.amazonaws.com/my-web-app

如果为了CI/CD目的隔离AWS帐户,并且在多个AWS帐户之间共享一个ECR存储库,则可能需要更改~/.docker/配置。手动json。

假设你有这些设置:

ECR由AWS帐户ID 00000000000000拥有 CI服务器属于AWS帐户ID 99999999999999

如果您在CI服务器中调用aws ecr get-login——region us-west-2 | bash, docker将在~/.docker/config.json中生成临时凭证。

{
  "auths": {
    "https://99999999999999.dkr.ecr.us-west-2.amazonaws.com": {
      "auth": "long-token.."
    }
  }
}

但是您希望指向ECR的帐户,因此需要更改主机名。

{
  "auths": {
    "https://00000000000000.dkr.ecr.us-west-2.amazonaws.com": {
      "auth": "long-token.."
    }
  }
}

注意,这种情况取决于您如何形成IAM用户/策略以允许ECR访问。

我也遇到过同样的问题,我犯的错误是使用了错误的回购路径

例如:docker push xxxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/jenkins:latest

在上面的路径中,这是我犯的错误:在“dkr.ecr.us-east-1.amazonaws.com”而不是“west”。我用的是“东方”。一旦我纠正了我的错误,我就可以成功地推送图像了。

我的问题是拥有多个AWS证书;因为我试图部署到开发,这是有效的:

$(aws ecr get-login --no-include-email --region eu-west-1 --profile dev | sed 's|https://||')

AWS文档告诉您执行以下命令(对于ap-东南-2区域)

aws ecr get-login --region ap-southeast-2

当我遇到这个问题时,根据那个文档,我不清楚你需要将这个命令的结果输入到终端并执行它。

修复工作为我是复制的结果到剪贴板与

aws ecr get-login --region ap-southeast-2 | pbcopy

将结果粘贴到命令行并执行