ECR get-login-password for docker login yields 400 bad request

[flah00]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [x] I've gone though the User Guide and the API reference
• [x] I've searched for previous similar issues and didn't find any solution

Describe the bug I want to login into ECR in us-west-2, because I would like to pull the aws-iam-authenticator image, ie docker pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.0-alpine-3.7. The docker login instructions on the release page are out of date. I followed the instructions in the AWS CLI get-login-password, but I get HTTP error code 400 back from the server.

SDK version number

aws --version
aws-cli/2.0.10 Python/3.8.2 Darwin/18.7.0 botocore/2.0.0dev14

Platform/OS/Hardware/Device What are you running the cli on?

uname -a
Darwin AMAC02YK1BBJGH6 18.7.0 Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT 2020; root:xnu-4903.278.35~1/RELEASE_X86_64 x86_64

To Reproduce (observed behavior)

aws --profile $aws_profile --region ${aws_region} ecr get-login-password \
    | docker login \
        --password-stdin \
        --username AWS \
        "${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com"
Error response from daemon: login attempt to https://$aws_account_id.dkr.ecr.$aws_region.amazonaws.com/v2/ failed with status: 400 Bad Request

Expected behavior I should be logged in, but I am not

Logs/output

2020-06-25 12:33:06,720 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.0.10 Python/3.8.2 Darwin/18.7.0 botocore/2.0.0dev14
2020-06-25 12:33:06,720 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['--debug', '--profile', '$aws_profile', '--region', '$aws_region', 'ecr', 'get-login-password']
2020-06-25 12:33:06,721 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x110e9d160>
2020-06-25 12:33:06,721 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x110736790>
2020-06-25 12:33:06,721 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x110ee7820>
2020-06-25 12:33:06,721 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x110797040>
2020-06-25 12:33:06,728 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2020-06-25 12:33:06,728 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x110d59ee0>
2020-06-25 12:33:06,728 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x110d0b0d0>
2020-06-25 12:33:06,745 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.0.10/libexec/lib/python3.8/site-packages/botocore/data/ecr/2015-09-21/service-2.json
2020-06-25 12:33:06,751 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr: calling handler <function _inject_commands at 0x110d70670>
2020-06-25 12:33:06,752 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr: calling handler <function add_waiters at 0x110ea4790>
2020-06-25 12:33:06,770 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.0.10/libexec/lib/python3.8/site-packages/botocore/data/ecr/2015-09-21/waiters-2.json
2020-06-25 12:33:06,770 - MainThread - botocore.hooks - DEBUG - Event building-command-table.get-login-password: calling handler <function add_waiters at 0x110ea4790>
2020-06-25 12:33:06,771 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2020-06-25 12:33:06,771 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2020-06-25 12:33:06,771 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2020-06-25 12:33:06,771 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2020-06-25 12:33:06,772 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2020-06-25 12:33:06,772 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/Cellar/awscli/2.0.10/libexec/lib/python3.8/site-packages/botocore/data/endpoints.json
2020-06-25 12:33:06,779 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x11010fb80>
2020-06-25 12:33:06,780 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.ecr: calling handler <function add_generate_presigned_url at 0x1100de790>
2020-06-25 12:33:06,784 - MainThread - botocore.endpoint - DEBUG - Setting api.ecr timeout as (60, 60)
2020-06-25 12:33:06,785 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.ecr.GetAuthorizationToken: calling handler <function base64_decode_input_blobs at 0x110eed0d0>
2020-06-25 12:33:06,785 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.ecr.GetAuthorizationToken: calling handler <function generate_idempotent_uuid at 0x11012fca0>
2020-06-25 12:33:06,785 - MainThread - botocore.hooks - DEBUG - Event before-call.ecr.GetAuthorizationToken: calling handler <function inject_api_version_header_if_needed at 0x110135790>
2020-06-25 12:33:06,785 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetAuthorizationToken) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.0.10 Python/3.8.2 Darwin/18.7.0 botocore/2.0.0dev14'}, 'body': b'{}', 'url': 'https://api.ecr.$aws_region.amazonaws.com/', 'context': {'client_region': '$aws_region', 'client_config': <botocore.config.Config object at 0x112a70490>, 'has_streaming_input': False, 'auth_type': None}}
2020-06-25 12:33:06,785 - MainThread - botocore.hooks - DEBUG - Event request-created.ecr.GetAuthorizationToken: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x112a70460>>
2020-06-25 12:33:06,785 - MainThread - botocore.hooks - DEBUG - Event choose-signer.ecr.GetAuthorizationToken: calling handler <function set_operation_specific_signer at 0x11012fb80>
2020-06-25 12:33:06,785 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2020-06-25 12:33:06,786 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
POST
/

content-type:application/x-amz-json-1.1
host:api.ecr.$aws_region.amazonaws.com
x-amz-date:20200625T163306Z
x-amz-target:AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken

content-type;host;x-amz-date;x-amz-target
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
2020-06-25 12:33:06,786 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20200625T163306Z
20200625/$aws_region/ecr/aws4_request
47f5afb79d1c5130426a2e54118988345b1798e4a4c15f59d4ae9b1d4176713e
2020-06-25 12:33:06,786 - MainThread - botocore.auth - DEBUG - Signature:
364f590097554b1ccf89d3efd5cdf6a57d6d91d22f796249bc479b035f7fbbd0
2020-06-25 12:33:06,786 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://api.ecr.$aws_region.amazonaws.com/, headers={'X-Amz-Target': b'AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.0.10 Python/3.8.2 Darwin/18.7.0 botocore/2.0.0dev14', 'X-Amz-Date': b'20200625T163306Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential=AKIATHGYY3MLXEYVF3QV/20200625/$aws_region/ecr/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=364f590097554b1ccf89d3efd5cdf6a57d6d91d22f796249bc479b035f7fbbd0', 'Content-Length': '2'}>
2020-06-25 12:33:06,787 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): api.ecr.$aws_region.amazonaws.com:443
2020-06-25 12:33:07,174 - MainThread - urllib3.connectionpool - DEBUG - https://api.ecr.$aws_region.amazonaws.com:443 "POST / HTTP/1.1" 200 2780
2020-06-25 12:33:07,175 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '854e969a-9d80-4dbb-9970-513d2628ef6b', 'Date': 'Thu, 25 Jun 2020 16:33:07 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '2780'}
2020-06-25 12:33:07,175 - MainThread - botocore.parsers - DEBUG - Response body:
b'{"authorizationData":[{"authorizationToken":"B64DATA","expiresAt":1.59314598712E9,"proxyEndpoint":"https://$aws_account_id.dkr.ecr.$aws_region.amazonaws.com"}]}'
2020-06-25 12:33:07,175 - MainThread - botocore.hooks - DEBUG - Event needs-retry.ecr.GetAuthorizationToken: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x112a70fd0>>
2020-06-25 12:33:07,176 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2020-06-25 12:33:07,176 - MainThread - botocore.hooks - DEBUG - Event after-call.ecr.GetAuthorizationToken: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x112a706d0>>
Error response from daemon: login attempt to https://$aws_account_id.dkr.ecr.$aws_region.amazonaws.com/v2/ failed with status: 400 Bad Request

Additional context I have found that I can successfully docker login to region us-east-1, but I cannot login to us-west-2. I need to login to us-west-2, so I can pull 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-iam-authenticator:v0.5.0-alpine-3.7. I looked over the status of ECR for us-west-2 and it's not reporting any issues.

[kdaily]

Hi @flah00,

Sorry to hear you're having trouble with this! I tried to reproduce, but without success. I successfully logged into my ECR through docker in both us-east-1 and us-west-2. I could only reproduce if I forced a region mismatch between the get-login-password and the URL:

> aws --version
aws-cli/2.0.21 Python/3.7.4 Darwin/19.5.0 botocore/2.0.0dev25

> aws ecr get-login-password --region us-east-1 \
| docker -l "debug" login \
    -u AWS \
    --password-stdin XXXXXXX.dkr.ecr.us-west-2.amazonaws.com

Error response from daemon: login attempt to https://XXXXXXXXXXX.dkr.ecr.us-west-1.amazonaws.com/v2/ failed with status: 400 Bad Request

The command referenced in the aws-iam-authenticator image release notes is for the v1 of the CLI client and wouldn't work for you using v2. I'll make a note to follow up on that, thanks for catching it!

Can you double check that your environment variables in use here are set to the same region? I could only think otherwise that the profile you referenced in the get-login-password is for a different AWS account than specified in the docker login.

Thanks!

[flah00]

@kdaily I re-ran the commands, as I had laid out and they're working now... no changes on my end. Very curious. Thanks for digging into this.

[Hyperadministrator]

I seem to be having exactly the same problem atm with

aws ecr get-login --region "${AWS_DEFAULT_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCESS_KEY_ID}.dkr.ecr.eu-west-1.amazonaws.com"
Error response from daemon: login attempt to https://XXXXXXXXXXXXXXX.dkr.ecr.eu-west-1.amazonaws.com/v2/ failed with status: 400 Bad Request

My version-set is this:

$ aws --version
aws-cli/1.16.209 Python/3.7.7 Darwin/19.5.0 botocore/1.12.199

$ uname -a
Darwin terminaator 19.5.0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64 x86_64

[kdaily]

@Fornacula what's the value of AWS_DEFAULT_REGION?

[novicedev7291]

Facing the same issue with AWS ECR plugin in JENKINS using

aws ecr get-login --region us-east-1 --no-include-email Error response in JENKINS console:

Error response from daemon: login attempt to https://{AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/v2/ failed with status: 400 Bad Request

$ aws  --version
aws-cli/1.11.131 Python/2.7.16 Linux/4.9.91-40.57.amzn1.x86_64 botocore/1.5.94

$ name -a
Linux ip-172-31-71-174 4.9.91-40.57.amzn1.x86_64 #1 SMP Tue Apr 3 17:32:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

UPDATE 1 Tried manually from CLI and it worked but not working from the PLUGIN, could be a plugin issue.

UPDATE 2 There is no issue, it was typo in ecr credential ID used by plugin and it worked. Please ignore my comment.

[github-actions[bot]]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

[johnny-fuse]

This still happens... any solution? I think I am losing my mind, at least 3 hours trying to make this work

[thabied]

I'm still getting the 400 Bad Request error. I've tried changing regions and all of the suggestions made above but nothing is working.

I'm in Cape Town, South Africa and I've tried both the Cape Town and us-east-1 regions but both don't work. I'm not sure what else could be the problem.

I'm executing the command in the suggested format: aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

I have aws-cli/2.1.32 Python/3.8.8 Darwin/19.6.0 exe/x86_64 and Docker 3.2.2 running on Mac OS Catalina 10.15.17

Are there any updates regarding this problem? Please some one help me I'm going insane over here

[bricefrisco]

I ran into this issue and was able to resolve it by:

• Adding a region to the ECR get-login-password: aws --region us-east-1 ecr get-login-password
• I was accidentally passing my UserId instead of AccountId to the URI. You can use aws sts get-caller-identity to verify your account ID (make sure you are looking at Account and not UserId

[petewilcock]

Just in case it helps someone - if your AWS account number starts with a zero, your automation might round this number away and therefore interpolates the incorrect account ID into the login command. Just to be clear, the login command to the repo absolutely requires the zero to be present.

[montej-anblicks]

• aws sts get-caller-identity

Yes this helps me, I am passing account alias instead of id. Thanks

[Adityanr]

For those you who are facing this issue in powershell, here is the workaround: https://stackoverflow.com/questions/65576285/docker-login-on-ecr-fails-with-400-bad-request-on-powershell-from-jenkins

[pcnova]

I seem to be having exactly the same problem atm with

aws ecr get-login --region "${AWS_DEFAULT_REGION}" | docker login --username AWS --password-stdin

The problem here is that you're calling get-login instead of get-login-password: the result of get-login does not need to be piped into docker, because it's already the full command you have to run! I know because it got me for a while too...

If you can switch to get-login-password then just do that (since get-login is deprecated). Otherwise, my solution was:

eval "$(aws ecr get-login --region "${AWS_DEFAULT_REGION}")"

[farib-reasonal]

I seem to be having exactly the same problem atm with

aws ecr get-login --region "${AWS_DEFAULT_REGION}" | docker login --username AWS --password-stdin

The problem here is that you're calling get-login instead of get-login-password: the result of get-login does not need to be piped into docker, because it's already the full command you have to run! I know because it got me for a while too...

This comment just saved me :)

[johnnyb]

For myself, I fixed the problem because I was using dashes in the AWS Account ID. Amazon lists the ID with dashes, but you have to remove the dashes for this to work.

[singhprd]

I resolved this by ensuring my region was consistent between the ecr repo location and the login password:

aws ecr get-login-password --region SAME-REGION-1 | docker login --username AWS --password-stdin 12345678.dkr.ecr.SAME-REGION-1.amazonaws.com/repo/name

[rlconst]

Have the same problem with login from powershell, but works from CMD

[kushan-gunasekera]

this solution is working fine for me.

solution:- https://stackoverflow.com/a/69274999/6194097

[jdempcy]

For me the cause of the problem was using the fish shell. I ran the same command in a bash shell and it succeeded.

[tomharrisonjr]

I am having this issue in us-west-1, running on macOS, zsh shell. macOS: 12.6.1 (21G217) -- Intel zsh: 5.8.1 aws cli: 2.9.1 -- note, auth via SSO docker: 20.10.21

I have confirmed region, environment variables, my permissions all align with the required parameters.

I have confirmed that others in my company having the same permissions and similar configurations do not have the issue, so seems likely to be due to some configuration.

Failed: I was able to reproduce the problem with zsh shell

Worked: I was able to successfully run with bash shell (in my case gnu bash 5.1 installed via brew install bash)

And then in an attempt to diagnose the problem, I added --debug to the docker command, and that also made it work...

[~]$ aws ecr get-login-password --region us-west-1 | docker login  --username AWS --password-stdin 123456789012.dkr.ecr.us-west-1.amazonaws.com
Error response from daemon: login attempt to https://123456789012.dkr.ecr.us-west-1.amazonaws.com/v2/ failed with status: 400 Bad Request

[~]$ aws ecr get-login-password --region us-west-1 | docker --debug login  --username AWS --password-stdin 123456789012.dkr.ecr.us-west-1.amazonaws.com
Login Succeeded

[~]$ aws ecr get-login-password --region us-west-1 | docker login  --username AWS --password-stdin 123456789012.dkr.ecr.us-west-1.amazonaws.com    tfenv:1.3.0
Error response from daemon: login attempt to https://123456789012.dkr.ecr.us-west-1.amazonaws.com/v2/ failed with status: 400 Bad Request

Hope this helps others!

[drewdunne]

In case anyone else runs into this issue, I had to wrap my GetAuthToken call in a variable definition for it to be piped in succesfully:

echo $(aws ecr get-login-password --region $AWS_REGION) | docker login -u AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

I couldn't find any reference to this anywhere, and thank god GPT4 suggested I do it. /shrug

[ankom2007]

aws ecr get-login-password --profile $PROFILE --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

Login Succeeded

[vthai]

For me, I found out that it is due to aws cli auto prompt, it breaks the piping of password to docker stdin, after switching to AWS_CLI_AUTO_PROMPT=on-partial it works

[mhweiner]

For anyone still struggling with this, in my case the issue was my AWS Account ID had a leading zero and was being parsed as a number by GitHub Actions when passed to the env argument, truncating the zero. Ie, "01234" was being treated 1234.

I don't know why AWS account Ids are numbers but really strings with leading zeros. Nice. GitHub, for its part, is doing magic on those env variables which I would assume would be strings, like if it was done in the shell with export. The confluence of these two idiosyncrasies caused me to lose over 8 hours diagnosing this issue. Fun. Hopefully, this will help someone else. 😵‍💫

[bornbydawn]

If anyone is using authorization token and struggling i have put the answer here:

https://stackoverflow.com/a/76652848/2733864

[mjmts]

I have occured same error. I create aws ecr repo in ap-northeast-2, but login token created base on us-east-1 .

[jpliraa]

after 13 hours, the solution for me was using the command line directly and then apply this: https://stackoverflow.com/questions/60583847/aws-ecr-saying-cannot-perform-an-interactive-login-from-a-non-tty-device-after

hope it helps somebody

[FreyGeospatial]

I had to restart my powershell and then this worked. Used the exact same commands (copied/pasted) Weird...

[elijahbenizzy]

OK, for those who are still hitting this, mine was especially dumb. This works:

aws --profile ... --region us-west-2 ecr get-login-password | docker login --password-stdin --username AWS XXXXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com

But this does not:

aws --profile ... --region us-west-2 ecr get-login-password | docker login --password-stdin --username AWS XXXX-XXXX-XXXX.dkr.ecr.us-west-2.amazonaws.com

Kill the dashes -- thanks to this: https://github.com/aws/aws-cli/issues/5317#issuecomment-1113571931, rewriting as my guess is more people will see this...

If the AWS folks want to add support for dashes, I don't think anyone would complain :)