Hey everyone,
I normally use DigitalOcean or Azure for docker and kubernetes but have decided to give AWS a go this time around. I was following a guide on deploying an image to a new ECR repo and hit a couple of issues.
The first was that running the login command output help options instead of the password I was expecting:
aws ecr get-login --no-include-email --region us-east-2
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:
batch-check-layer-availability | batch-delete-image
batch-get-image | batch-get-repository-scanning-configuration
complete-layer-upload | create-pull-through-cache-rule
create-repository | delete-lifecycle-policy
delete-pull-through-cache-rule | delete-registry-policy
delete-repository | delete-repository-policy
describe-image-replication-status | describe-image-scan-findings
describe-images | describe-pull-through-cache-rules
...
This turned out to be an issue because the command had been deprecated. Instead, use the following:
aws ecr get-login-password | docker login --username AWS --password-stdin "$(aws sts get-caller-identity --query Account --output text).dkr.ecr.<REGION_ID>.amazonaws.com"
There’s a pretty detailed thread on github here: https://github.com/aws/aws-cli/issues/5014
The second issue I ran into was an error while trying to run the new command:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::<ACCOUNT_ID>:user/<USER> is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
Adding the following role to my user resolved the issue: AmazonEC2ContainerRegistryPowerUser
Once I was passed this, I hit another issue using the command from the github link above:
Error response from daemon: login attempt to https://<ACCOUNT_ID>.dkr.ecr.us-east-2.amazonaws.com/v2/ failed with status: 400 Bad Request
This took a bit of digging, but eventually I came across a thread where someone was using the same command and had hit the same issue. Adding the region to the get-login-password
call seemed to fix it:
aws ecr get-login-password --region <REGION_ID> | docker login --username AWS --password-stdin "$(aws sts get-caller-identity --query Account --output text).dkr.ecr.<REGION_ID>.amazonaws.com"
I was finally getting a login succeeded
message and my push was working. This was the thread mentioning the region id just in case you need a bit more info: https://github.com/aws/aws-cli/issues/5317#issuecomment-835645395