Hello. I am having issues logging in to ecr using docker-py, my code is as follows:
from docker import Client
client = Client(base_url = 'tcp://127.0.0.1:2375')
client.login(username='AWS', password=auth_code, registry='https://xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com')
client.pull('xxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/foo:latest')
Results with the following error:
docker.errors.APIError: 500 Server Error: Internal Server Error ("error parsing HTTP 403 response body: invalid character 'Y' looking for beginning of value: "Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one."")
The thing is, auth_code is generated from aws ecr get-login, which works perfectly. Can any one shed some light on this?
I did some debugging and in docker/api/image.py response is status_code 500 text:
error parsing HTTP 403 response body: invalid character 'Y' looking for beginning of value: "Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one."
jess-lawrence-axomic
All 5 comments
There was a similar bugreport submitted recently with pretty much same symptoms: https://github.com/docker/docker-py/issues/1121
The solution was to refresh credentials, exactly the same thing as the error message is suggesting:
Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
TomasTomecek
on 24 Aug 2016
Hey, as I mentioned before I was using the decoded token that aws ecr get-login was generating, but to no avail.
I have however managed to get it working in a production environment. These are the commands that I'm using:
The Production system is all within an AWS VPC. In order to test locally I:
ssh -L 2375:10.0.4.192:2375 ....
And set ADDR according to the env.
import os
from config import config
os.environ['AWS_ACCESS_KEY_ID'] = config['aws_key_id']
os.environ['AWS_SECRET_ACCESS_KEY'] = config['aws_key_secret']
import boto3
ecr = boto3.client('ecr', region_name='us-east-1')
import base64
auth_code = base64.b64decode(ecr.get_authorization_token()['authorizationData'][0]['authorizationToken']).split(':')[1]
from docker import Client
client = Client(base_url = ADDR)
client.login(username='AWS', password=auth_code, registry='https://xxxxx.dkr.ecr.us-east-1.amazonaws.com')
When performing locally I get a weird response back:
{'username': u'AWS', 'password': u'xxxxxx', 'email': None, 'serveraddress': u'https://xxxxx.dkr.ecr.us-east-1.amazonaws.com'}
When doing it within the VPC I get back:
{u'Status': u'Login Succeeded'}
Both docker-py versions are 1.9.0. The only other difference I can think of is different timezones (BST vs UTC). Any ideas, it would be nice to be able to test locally going forward.
jess-lawrence-axomic
on 25 Aug 2016
Please post complete HTTP communication, it's pretty much impossible to help with currently provided info.
TomasTomecek
on 25 Aug 2016
It looks like somewhere in the login process the local version is finding what it thinks is an auth and so the login uses the cached result. Adding reauth=True to the login call fixes it. Sorry for the rabbit hole Tomas.
DEBUG:docker.auth.auth:Looking for auth entry for 'xxx.dkr.ecr.us-east-1.amazonaws.com'
DEBUG:docker.auth.auth:Found u'https://xxx.dkr.ecr.us-east-1.amazonaws.com'
I found it helpful to delete the Amazon login credentials from ~/.docker/config.json as well. The token is only good for 12 hours.
lie-nielsen
on 6 Mar 2018
Related issues
GodQ
路
3Comments
vickydgm
路
4Comments
ko-christ
路
3Comments
AdamWRichardson
路
4Comments
sureshsankaran
路
4Comments
Most helpful comment
I found it helpful to delete the Amazon login credentials from ~/.docker/config.json as well. The token is only good for 12 hours.