Containers-roadmap: [ECR]: CLI command 'aws ecr get-login' superseded — improved ECR auth methods available
Amazon ECR is introducing a new CLI command aws ecr get-login-password to authenticate with ECR. This command is available in AWS CLI version 1.17.10 and later and is the recommended way to retrieve an ECR authentication token. The existing aws ecr get-login CLI command remains supported in AWS CLI version 1. In AWS CLI version 2, the new get-login-password command will be the only ECR authentication CLI command and the existing get-login command will no longer be available. For more information, see Registry Authentication.
What will happen if I do nothing?
The get-login command will continue to work in the AWS CLI version 1 and remains supported, to preserve backwards-compatibility. However, consider moving to the new get-login-password command to reduce the potential for authentication credentials to appear in the process list, shell history, or log files, and to decouple from the syntax of the docker login command. Please note that the get-login command will not be available in the forthcoming AWS CLI version 2.
How do I use the new command?
The get-login-password command is available in AWS CLI version 1.17.10 and later, which is available today. You can check your AWS CLI version with the aws --version command.
Before: $(aws ecr get-login --no-include-email)
After: aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com
See our documentation for more information if this substitution does not work. Amazon ECR also provides a Docker credential helper that removes the need to call an authentication CLI command.
rpnguyen
All 6 comments
Duplicate of #717?
ronkorving
on 5 Feb 2020
@ronkorving we opted for explicitly opening an issue on the superseded command so it's not lost in talking about the new command, and to get feedback from the community. This issue will stay in developer preview while #717 will get closed.
omieomye
on 5 Feb 2020
Closing.
omieomye
on 10 Mar 2020
The deprecated get-login command has a --registry-ids option which allowed me to (generate a docker login command that allows me to) login to ECR registries in other AWS accounts. How can I do that with the new get-login-password command?
d4nyll
on 17 Jun 2020
@d4nyll you'll need to call it once for each registry.
Deprecated command:
$(aws ecr get-login --region <region> --no-include-email --registry-ids 111111111111 222222222222)
New command:
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin 111111111111.dkr.ecr.<region>.amazonaws.com
aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin 222222222222.dkr.ecr.<region>.amazonaws.com
Our solution to this where we didn't know what version we'd be hitting and didn't care to parse version commands was to try to ask for help on the deprecated command. If it's stupid but works, it isn't stupid:
# there are two versions of the AWS client in our infrastructure,
# this get-login help command only works on the old version, so if it works, run the old one.
echo "Logging into ECR"
if aws ecr get-login help &> /dev/null
then
eval $(aws ecr get-login --region us-east-1 --no-include-email)
else
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $ECRHOST
fi
bensherman
on 6 Aug 2020
Related issues
jeremietharaud
·
3Comments
tabern
·
3Comments
abby-fuller
·
3Comments
mineiro
·
3Comments
groodt
·
3Comments