Aws-cli: Keep getting `Denied: Authorization Token has expired` error
I just run the get-login command
execute the output (which returns login succeeded)
then try to push a docker image
then I get the message:
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
I don't know whats going wrong, I'm pushing to the right repo, the time on my mac is correct.
This was working before, but since I reinstalled my mac and upgraded to macOS Sierra it's not working anymore, probably related to that.
My --version output:
aws-cli/1.11.34 Python/2.7.10 Darwin/16.3.0 botocore/1.4.91
$ aws ecr get-login --region eu-west-1 --profile ss
docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
$ docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
Flag --email has been deprecated, will be removed in 1.13.
Login Succeeded
$ docker push 1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web:latest
The push refers to a repository [1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web]
c1f87971dfa9: Preparing
2eb644aea3de: Preparing
9c8843ffe48e: Preparing
39bb58d049d4: Preparing
f053bc969599: Preparing
7169084246b8: Waiting
bb134a1936fd: Waiting
184e76848a1c: Waiting
75c8fcf65748: Waiting
eb9b9ee1ea58: Waiting
f4bf35723edd: Waiting
ddffe1a64b3c: Waiting
fd1a1154db16: Waiting
b542e946067a: Waiting
d49ed2a5e1ed: Waiting
bb39b980367a: Waiting
25b8358d062f: Waiting
997eee521fc7: Waiting
50b5447183a8: Waiting
4339b5cb0e1d: Waiting
3dbd4a53b21b: Waiting
2bec16216500: Waiting
b9fd8e264df6: Waiting
b6ca02dfe5e6: Waiting
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
lu3do
All 22 comments
Presumably this is the same as this StackOverflow question. Can you confirm whether the answer there worked or not?
JordonPhillips
on 29 Dec 2016
Closing due to inactivity. Please reopen if you have anymore questions or the suggestion did not work.
kyleknap
on 18 Jan 2017
For people with the same issue, check my stackoverflow question/answer:
http://stackoverflow.com/a/41387519/1362815
lu3do
on 19 Jan 2017
FYI, this is happening to me. Same symptoms. It worked fine for months but now I get the same error message.
Docker version 17.03.1-ce, build c6d412e
awscli (1.11.75)
LusciousPear
on 10 Apr 2017
Im getting same issue.. worked fine for months..
Docker version 17.03.1-ce, build c6d412e
aws-cli/1.11.111 Python/2.7.10 Darwin/16.6.0 botocore/1.5.74
philpalmieri
on 23 Jun 2017
Same here,
Docker version 17.09.0-ce, build afdb6d4
aws-cli/1.11.167 Python/2.7.9 Windows/8 botocore/1.7.25
probably worthy of noting, i'm actually using win10, but aws cli doesn't seem to identify that correctly.
... turns out, profile switch is required, despite [default] and [user1] having identical configurations. Also specifying --profile default fails. Looks like you must use a named profile that isn't default, for get-login to give something that actually works, instead of just reporting that it worked.
ericblade
on 9 Oct 2017
Upgraded docker yesterday, hosed today.
Docker version 17.09.0-ce, build afdb6d4
macOS 10.13 High Sierra
awscli (1.11.169)
$(aws ecr get-login --no-include-email)
Error saving credentials: error storing credentials - err: exit status 1, out: The user name or passphrase you entered is not correct.
Creating a different profile than "default" and trying to use that results in the same error.
aws ecr get-login --no-include-email --region=us-east-1 --profile=aws
...
Error saving credentials: error storing credentials - err: exit status 1, out: The user name or passphrase you entered is not correct.
Ultimately, deleting the osxkeychain entries, reinstalling docker and aws-cli and restarting the box resolved my authentication issue.
Spechal
on 12 Oct 2017
For me the issue was solved after adding --no-include-email in the aws ecr get-login command.
Like this:
eval $( aws ecr get-login --no-include-email --region eu-west-1 )
guppie70
on 19 Nov 2017
In my case the issue was multiple credentials in ~/.aws/credentails so I used --profile
aws ecr get-login --no-include-email --region us-east-2 --profile xxxx
This worked for me.
chetanhomify
on 4 Mar 2018
docker login stores its auth credentials in ~/.docker/config.json. The Your Authorization Token has expired error means those credentials are stale.
Try removing ~/.docker/config.json. docker push should now generate a no basic auth credentials error.
aws ecr get-login --no-include-email will generate a docker login command. Check the login command generated is for the same registry used in the docker push command.
tekumara
on 25 Aug 2018
In my case the issue was multiple credentials in ~/.aws/credentails so I used --profile
aws ecr get-login --no-include-email --region us-east-2 --profile xxxx
This worked for me.
I truly have multiple accounts and this helped me! Thanks man!
axozoid
on 13 Nov 2018
I had this problem and none of the solutions presented would fix it. It happened after updating docker.
I think that between two different versions of docker the ~/.docker/config.json format changes to include the full URL, however it picks the old URL first without the protocol on a push that's not specifying the protocol.
Deleting the config and logging in again fixed it.
joeyhub
on 4 Apr 2019
Had the same problem.
Just copy output that you have after aws ecr get-login --no-include-email and remove 'https://'. Works for me.
docker login -u AWS -p {token} 123456789.dkr.ecr.eu-west-2.amazonaws.com
michaeljaszczuk
on 9 May 2019
Removal of ~/.docker/config.json is what did it for me. See https://stackoverflow.com/a/45938500/1664453
stieg
on 16 May 2019
Here's what worked for me:
rm ~/.docker/config.json- Removes docker config JSONaws ecr get-login- Exclude the--no-include-email- Copy and paste the output onto your terminal window
- Manually delete the
-e nonepart. - Run
docker pushcommand
rgil90
on 29 Mar 2020
Why not just ask people to run $(aws ecr get-login --no-include-email)?
joseph-zhong
on 3 Apr 2020
@joseph-zhong that certainly doesn't works for aws-cli/2.0.0 Python/3.8.1 Darwin/19.4.0 botocore/2.0.0dev4
subhadeepkaran
on 15 May 2020
What worked for was to do re-login.
If you are on aws-cli/2.0.0 then following might work for you as well.
aws ecr get-login-password |docker login --username AWS --password-stdin $IMAGE_PATH
subhadeepkaran
on 15 May 2020
aws ecr get-login-password \
--region <region> \
| docker login \
--username AWS \
--password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com
https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
stefaniaive
on 15 May 2020
Just a casual note: "ecr get-login" disappeared in version 2 of the AWS CLI. This is actually kind of a good thing, it's a little bit of a security risk.
You now have to use "ecr get-login-password"
rklahnaisera
on 31 May 2020
https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
The password is valid for 12 hours.
webxiaohua
on 18 Jun 2020
I too verified the returned token had a 12 hour lifespan, so the token is valid.
From what I can tell, this is a Docker issue/behavior.
I'm in the process of switching over to python instead of the CLI. In order to get passed this "expired" issue, it was necessary to hide/delete the ~/.docker/config.json file.
Here's what I found:
Given the following CLI operation:
aws ecr get-login-password --region %REGION% --profile %PROFILE% | docker login --username AWS --password-stdin %ACCOUNT%.dkr.ecr.%REGION%.amazonaws.com
the operation is generating the config.json file which describes a credentials store for the given endpoint; i.e., _wincred_
{
"auths": {
"0123456789.dkr.ecr.us-east-1.amazonaws.com": {}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.12 (windows)"
},
"credsStore": "wincred"
}
The python operation dkr.login(...) was effectively picking up the _wincred_ from the config.json instead of the STS creds just acquired from AWS. Apparently, this is a feature and not a bug*.
def aws(service):
global boto3, profile, region
session = boto3.session.Session(region_name=region, profile_name=profile)
return session.client(service)
def authenticate():
global dkr
ecr = aws("ecr")
token = ecr.get_authorization_token()
authData = token["authorizationData"][0]
authToken = authData["authorizationToken"]
decode = base64.b64decode(authToken).decode()
_, password = decode.split(":")
registry = authData["proxyEndpoint"].replace("https://", "")
dkr.login(username="AWS", password=password, registry=registry)
print(authData["expiresAt"])
print("Docker logged in...")
Despite the older creds reference by config.json, the dkr.login(...) operation didn't fail. Failure only occurred at the point of dkr.images.push(...).
* A feature.... Reviewing the docker/docker-py repo @ github, it seems the login(...) operation is utilizing the existing config.json file if it already exists. Here's one of many locations where the existing config.json is being referenced/utilitized: source
Setting the reauth login(...) option forces the _real_ login operation to execute -- subsequently the config file was regenerated by something.
The login operation also permits an alternate config file which is probably the way to go for CI.
Here's another starting point to review what's going on: load_config
tvkit
on 28 Sep 2020
Related issues
pawelkilian
路
3Comments
975204
路
3Comments
kangman
路
3Comments
vadimkim
路
3Comments
braddr
路
3Comments
Most helpful comment
For me the issue was solved after adding
--no-include-emailin the aws ecr get-login command.Like this:
eval $( aws ecr get-login --no-include-email --region eu-west-1 )