I'm trying to push my first docker image to ECR. I've followed the steps provided by AWS and things seem to be going smoothly until the final push which immediately times out. Specifically, I pass my aws ecr credentials to docker and get a "login succeeded" message. I then tag the image which also works. pushing to the ecr repo I get no error message, just the following:
The push refers to repository [xxxxxxxxxxx.dkr.ecr.ca-central-1.amazonaws.com/reponame]
714c1b96dd83: Retrying in 1 second
d2cdc77dd068: Retrying in 1 second
30aad807caf5: Retrying in 1 second
0559774c4ea2: Retrying in 1 second
285b8616682f: Retrying in 1 second
4aeea0ec2b15: Waiting
1b1312f842d8: Waiting
c310009e0ef3: Waiting
a48777e566d3: Waiting
2a0c9f28029a: Waiting
EOF
It tries a bunch of times and then exits with no message. Any idea what's wrong?
I figured out my issue. I wasn't using the correct credentials. I had a personal AWS account as my default credentials and needed to add my work profile to my credentials.
EDIT
If you have multiple aws profiles, you can mention the profile name at the docker login as below (assuming you have done aws configure --profile someprofile at earlier day),
aws ecr get-login-password --region us-east-1 --profile someprofile | docker login ....
You will get the same behaviour if you forget to create ECR repo before pushing.
Use CloudTrail to get a clue what is wrong.
Also make sure that you have configured correct policy for your user — for example, AmazonEC2ContainerRegistryFullAccess.
Make sure the name of your repository is the same name as your images.
image:latest 756839881602.dkr.ecr.us-east-1.amazonaws.com/image:latest in this case my repository name is image and my image name is image as well. This worked for me.
In my case, the repository I wanted to push to didn't exist (For example, I tried pushing to my-app/backend:latest but only the my-app/cms repository exists). So make sure your repository exists in the AWS ECR Console in the right region. The error returned from AWS CLI (EOF) didn't help at all.
Check your aws permissions. In addition to AmazonEC2ContainerRegistryFullAccess permission, below actions has to be granted for the correct resource. Especially check "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}" part.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
In my case it was related to MFA (Multi-Factor-Authentication).
I had to create a session token. The docker login seemed to be successful, but pushing does not work.
The following script is doing all for you and creates a aws profile "mfa" used to login: get_mfa_credentials.py
After executing, you can login with:
aws ecr get-login-password --region <YOUR_REGION> --profile mfa | docker login --username AWS --password-stdin <Your_REPO>
I do not know who wrote it, but I'm very grateful to this guy.
And thanks to AWS for bad tools that do not help.
Assuming you authenticated successfully to AWS and you have permissions to read, write to ECR, check if the repository does exist
aws ecr describe-repositories --repository-name reponame
If you catch an error RepositoryNotFoundException, then you will create to that repository with the following command
aws ecr create-repository --repository-name reponame
After that, try to push again, it will be fine!
I also was able to login to the registry, yet the pushing of the image would just timeout.
The solution for me was to add AmazonEC2ContainerRegistryFullAccess to my IAM user.
After adding that permission to my IAM user account, I could docker push to the ECS registry just fine.
I have to add for anyone else encountering this problem. Go to IAM and make sure you have put permissions. I don't want to say how long I wasted before figuring that out.
Edit to help #zac's answer:
The policies that need to be attached are AmazonEC2ContainerRegistryFullAccess and AWSAppRunnerServicePolicyForECRAccess
For those who tried the solution above, and it didn't work, make sure the image name your are pushing is the same as the repository name.
Ensure you are using the correct profile and that the repository exists
Command to login with profile: aws ecr get-login-password --region <region> --profile=<profile-name> | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.eu-west-1.amazonaws.com
Command to create repo if it does not exists:
aws ecr describe-repositories --repository-names ${REPO_NAME} || aws ecr create-repository --repository-name ${REPO_NAME}(source)
If anyone is still stuck with the issue. I would highly recommend watching this short vid https://www.youtube.com/watch?v=89ZeXaZEf80&ab_channel=IdenticalCloud
Here are the steps I took to fix the issue (if you prefer not to watch the video):
Create a new IAM user with "Access keys" checked
Under permissions, click on "attach existing policies directly" and choose "AmazonEC2ContainerRegistryFullAccess"
Download the CSV file
Run "AWS configure" on your terminal and pass in the credentials from the CSV file
Set the location to the location you created your ECR (mine was us-east-1)
Go to ECR and follow the steps to push the image
For me, I had to delete the stack and re-deploy the stack. Then, I was able to push the docker image to ECR.
Please check cloud trail event logs , this is where all the api issues are clearly highlighted .
In my case it was because i had a - in my image name and hence it was throwing the following error in the cloud trail logs
"The repository with name 'myimage-nginx' does not exist in the registry with id '516583196897'
Please note the - in the image name.
Fixing the image name to remove the - resolved the issue for me.
Commands
docker tag nginx:latest 516583196897.dkr.ecr.ap-south-1.amazonaws.com/myimage:latest
docker push 516583196897.dkr.ecr.ap-south-1.amazonaws.com/myimage:latest
In my case I was creating the repo in us-east-2 and attempting to push to us-east-1, so docker couldn't find it.
Make sure your assumed aws role has the ability to push images to AWS ECR. Easiest is to check the role via the command:
aws sts get-caller-identity --profile=saml
I was following this documentation and hit this error. What addressed the problem was using the repository id instead of the account name.
aws ecs create-repository creates a repo, returning a repositoryUri. Then, the docker login, docker tag and docker push should be done using that repository url instead of the user one.
I had this problem with sam deploy
sam delete --stack-name ...
sam deploy --guided
worked for me
Related
We have a GitLab CI pipeline that currently pulls images from our internal Docker registry, authenticated using a variable defined in .gitlab-ci.yml:
variables:
...
DOCKER_AUTH_CONFIG: '{"auths": {"our.registry": {"auth": "$B64AUTH"}}}'
This works fine.
We are trying to add a step to the end of the pipeline, to push our built Docker images to an Amazon ECR registry. We have installed the amazon-ecr-credential-helper on our runner instances, and given them the correct IAM permissions to be able to push to these registries. We have changed the .gitlab-ci.yml variable to:
DOCKER_AUTH_CONFIG: '{"auths": {"our.registry": {"auth": "$B64AUTH"}}, "credHelpers": { "<account-id>.dkr.ecr.<region>.amazonaws.com": "ecr-login"}}'
However, this causes the runner to fail to authenticate to our internal registry, so it cannot pull the images in which our jobs run. Whereas previously we would see in our pipeline jobs' logs:
Authenticating with credentials from $DOCKER_AUTH_CONFIG
... we are no longer seeing this. We're not even getting to the step where we want to push to ECR.
We have added a wrapper script around the credential helper, to log all the ins and outs to a file, and try and debug what is happening. However, it appears as if the helper isn't getting called at all, as there is nothing in the log file.
What can we do to try and get this working?
Our problems here boiled down to a number of causes:
Since we referenced the credential helper in DOCKER_AUTH_CONFIG, we needed the helper installed on the machine spawning the runners. (We use the docker+machine runner.) This machine also needed IAM permissions. Without this, it just gave up on the DOCKER_AUTH_CONFIG variable completely (a questionable decision if you ask me...)
In order to authenticate from within the jobs and push the images to ECR, we needed to configure the helper there too. We did this by modifying our spawner's config.toml file to add a volume /usr/bin/docker-credential-ecr-login:/usr/bin/docker-credential-ecr-login. (We also mounted the log directory and our helper wrapper.) In the docker push command, we added a --config docker-config flag, and wrote out an appropriate config to docker-config.config.json
Finally, our job image was docker/compose, and our verbose wrapper was written in bash, which isn't included in that image, so that was another silent failure. 😖.
I have private repo where I am uploading images outside of the docker.
image: example-registry.com:4000/test
I have that defined in my docker-compose file.
How I can provide credentials or API key in order to pull from that repository? Is it possible to do it without executing "docker login" command or it is required to always execute those commands prior the docker-compose command?
I have API key which I am using for example to do the REST API from PowerShell or any other tool.
Can I use that somehow in order to avoid "docker login" command constantly?
Thank you
docker login creates or updates the ~/.docker/config.json file for you. With just the login part, it look likes
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "REDACTED"
}
}
}
There can be many things in this file, here is the doc
So to answer your question, you can avoid the login command by distributing this file instead. Something like:
Create a dedicated token (you shouldn't have multiple usage by token) here https://hub.docker.com/settings/security
Move your current config elsewhere if it does exist mv ~/.docker/config.json /tmp
Execute docker login -u YOUR-ACCOUNT, using the token as password
Copy the generated ~/.docker/config.json that you can then distribute to your server(s). This file is as much a secret as your password , don't make it public!
Move back your current config mv /tmp/config.json ~/.docker/
Having the file as a secret that you distribute doesn't make much difference than inputing the docker login command though, especially if you've some scripting to do that.
I'am trying to upload a locally created docker image (graalvm, docker desktop on Mac) to gcp (with a real project id).
I see the following error:
% docker push grc.io/<project>/facility
The push refers to repository [grc.io/<project>/facility]
Get https://grc.io/v2/: Service Unavailable
I set up gcloud auth:
gcloud auth configure-docker
and my .docker/config.json looks like this
{
"experimental" : "disabled",
"credHelpers" : {
"gcr.io" : "gcloud",
"us.gcr.io" : "gcloud",
"eu.gcr.io" : "gcloud"
},
"auths" : {
},
"stackOrchestrator" : "swarm"
}
Running
echo "https://gcr.io" | docker-credential-gcloud get
provides a token.
What is the problem?
-- Update --
When I run this (works)
gcloud container images list --repository=gcr.io/<project-id> --log-http
it is talking to https://gcr.io/v2/token?... and the docker-credential-gcloud above is talking to https://oauth2.googleapis.com/token.
Here is an alternative solution:
gcloud builds submit --tag gcr.io/<project-name>/<app-name>
Looks like you have a typo. It should be gcr.io not grc.io
You are supposed to replace the <project> in
docker push grc.io/<project>/facility
with your project id.
If you are not sure how to get the project id, you can get list of all the projects with their IDs via cli.
gcloud projects list
After spending more time on this I found out that gcp has container registries and artifact registries (beta).
Since I don't get it running with the container registry I created a new test project and an artifact registry.
Setup is the same apart from the registry address.
After locally running
gcloud auth application-default login
gcloud beta auth configure-docker us-east1-docker.pkg.dev
my ~/.docker/config.json has the following credHelper entry
"credHelpers": {
"us-east1-docker.pkg.dev": "gcloud"
},
Now I can tag & push
docker tag a01478beacf9 us-east1-docker.pkg.dev/test-2/facility/name
docker push us-east1-docker.pkg.dev/test-2/facility/name
The tag has 4 parts:
HOST-NAME /PROJECT-ID/REPOSITORY/IMAGE
us-east1-docker.pkg.dev/test-2 /facility /name
and it just works. :)
I'm following Kubernete's getting started guide. Everything went smoothly until I ran
$ gcloud docker push gcr.io/<PROJECT ID>/hello-node:v1
(Where is, well, my project id). For some reason, Kubernetes is not able to push to the registry. This is what I get:
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: '--email' is deprecated, it will be removed soon. See usage.
Login Succeeded
The push refers to a repository [gcr.io/kubernetes-poc-1320/hello-node]
18465c0e312f: Preparing
5f70bf18a086: Preparing
9f7afc4ce40e: Preparing
828b3885b7b1: Preparing
5dce5ebb917f: Preparing
8befcf623ce4: Waiting
3d5a262d6929: Waiting
6eb35183d3b8: Waiting
denied: Unable to create the repository, please check that you have access to do so.
Any ideas on what I might be doing wrong? Note that I have run. $ gcloud init, so I've logged in.
Thanks in advance!
This solved it in my case:
Short version:
Press Enable billing in the Container Engine screen in the https://console.cloud.google.com.
Long version:
In my case I got the error because of an issue with setting billing in the google cloud platform console.
Although I entered all my credit card information and the screen of my Container Engine Screen in the google cloud platform console said Container Engine is getting ready. This may take a minute or more., it didn't work before I pressed Enable billing on the same screen. Then the gcloud docker push command finally worked.
Oddly enough after later returning to the Container Engine screen, it shows me Container Engine is getting ready. This may take a minute or more. and the button Enable billing again.. must be a bug in the console.
None of the above solutions worked for me and I finally found out a solution. I'm using Windows 10 and looked at my C:/Users//.docker/config.json file and it looked like this.
{
"auths": {
"https://appengine.gcr.io": {},
"https://asia.gcr.io": {},
"https://b.gcr.io": {},
"https://bucket.gcr.io": {},
"https://eu.gcr.io": {},
"https://gcr.io": {},
"https://gcr.kubernetes.io": {},
"https://us.gcr.io": {}
},
"credsStore": "wincred"
}
Removing the "credsStore": "wincred" line fixed the problem!
If you're using a GCE instance, you need to make sure it has the right Cloud API access scope.
Since you can't edit the scopes on running instances, you can create a new instance using your current disk.
To do that, do the following
Go to your instance page and click Edit
Uncheck Delete boot disk when instance is deleted and click save
Create a new instance using your previous disk and with write permissions on Storage.
I was getting this same error because I was accidentally using the project name rather than the auto-generated id. The PROJECT_ID can be found via:
$ gcloud info
as well as in the Google Cloud dashboard: https://console.cloud.google.com/home/dashboard
Silly, I realize, but I can imagine others making the same mistake :)
Ensure you are authenticated with Google Cloud.
$ gcloud auth application-default login
Double-check gcloud is pointing to your current project.
$ gcloud config set project PROJECT_ID
If you still have trouble, run gcloud info and take a look at the Last Log File. Note: gcloud auth login no longer writes application default credentials.
In https://stackoverflow.com/a/39996807/598513 I answered switching user/account
gcloud auth list
gcloud config set account example#gmail.com
Edit: This worked for me months ago. New versions of Kubernetes might not have this problem, or this solution might not solve it :)
Ok, after struggling for hours with this, I finally managed to push it to th grc.io registry by changing my tag from a image:version notation to image/version, like this:
gcloud docker push gcr.io/<PROJECT ID>/hello-node/v1
after reading another guide from Kubernetes' documentation: https://cloud.google.com/container-registry/docs/pushing#pushing_to_the_registry
Hope this helps!
For me, having the same error, I found I missed the "gcloud" in the beginning. That was because previous 2 commands started with docker and I just glanced over the changes after docker.
~/gs-spring-boot/complete$ docker -- push gcr.io/kubernetes-codelab-1xxxxx/hello-java:v1
correct:
~/gs-spring-boot/complete$ gcloud docker -- push gcr.io/kubernetes-codelab-1xxxxx/hello-java:v1
run gcloud init and see whether you have logged in to the correct account. I once had this error because of i was trying to push image from different google account
When using docker-credential-helpers to store docker credentials in the OSX Keychain, gcloud docker -- push $registry/$project_id/<image>:<tag> fails as well.
Solution for me was to revert ~/.docker/config.json to not store credentials securely with the keychain
See also: https://github.com/GoogleCloudPlatform/gcloud-common/issues/198
What do you use as a project id? It shouldn't be "my-kubernetes-codelab", it should be "my-kubernetes-codelab-234231" or whatever your numbered version is. This was my problem.
when I am trying to clone a rails app repo I have got permission to, I am getting this issue.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Even after adding public key by generating one, I am unable to solve this.
Although I am able to clone using he https method but after making changes, the same error comes while I try to push the code.
Please suggest an answer for this.
First, cd into your .ssh directory. Open up the terminal and run:
cd ~/.ssh && ssh-keygen
Second, you need to copy this to your clipboard:
cat id_rsa.pub | pbcopy # On OSX
cat id_rsa.pub | xclip # On Linux
Third, add your newly generated ssh key to your account via the github/bitbucket website (just paste there).
Next, setup your git config:
git config --global user.name 'your_user_name'
git config --global user.email 'your_email'
Finally, restart your command line to make sure the config is reloaded.
Now, you should be able to clone and push from/to your github repository.
For more information on this, see this github page or this bitbucket page.
When attempting to clone, push, or pull over SSH with Git, you may receive one of these messages if Bitbucket couldn't authenticate with the keys that your SSH agent offered.
Here are the most common reasons why you may see these messages:
You used sudo when attempting the connection
You shouldn't use sudo when cloning, pushing, or pulling because the ssh-agent runs on the user level, not the root level.
Your public key isn't loaded into Bitbucket
To check if your public key is loaded into Bitbucket, do the following:
From Bitbucket, choose Personal settings from your avatar in the lower left.
The Account settings page displays.
Click SSH keys.
The SSH keys page shows a list of any existing keys.
If you don't have any keys listed, you can follow our Set up an SSH key documentation to set one up.
Your key isn't loaded into your SSH agent
If your SSH agent doesn't know to offer Bitbucket a key, the connection fails. You may run into this issue if you've recently restarted your system.
You can refer to this Article for more informations:
https://support.atlassian.com/bitbucket-cloud/docs/troubleshoot-ssh-issues/
Check few things.
Is the generated new key is the one your ssh agent using when trying to ssh to server.
(Your ssh agent might be using a different key than the one you generated)
use this to list currently loaded keys by agent.
ssh-add -L
You properly added public key to your repository hosting location.
The keys corresponding to above 1 and 2 should match.
Please see this article: GitHub: Generating SSH Keys. What happens when you run:
ssh -T git#bitbucket.org
?
You may have added the wrong key to authenticate with.
I faced this error when I created another repository in my local. My ssh-keys were already set up and I was trying to push code through vs code.
The issue got resolved when I git push-ed through git bash like I was doing before.
For bit bucket I think I have tried everything with ssh. I have tried the answer from this stackoverflow question as well. But it doesn't work. So finally I just changed the clone command from SSH to HTTPS and it worked. Only then it asked for password for my account.