I can log in to ecr with a different account even though I don't assumerole.

[ghost]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [x] I've gone though the User Guide and the API reference
• [x] I've searched for previous similar issues and didn't find any solution

Describe the bug

aws --version aws-cli/2.4.6 Python/3.8.8 Darwin/21.2.0 exe/x86_64 prompt/off`

for example main account:111111 dev account:222222

Run the following command aws ecr get-login-password --region region --profile dev | docker login --username AWS --password-stdin 222222.dkr.ecr. region.amazonaws.com

A message is output as follows "Login Succeeded"

Run the following command aws ecr get-login-password --region region | docker login --username AWS --password-stdin 222222.dkr.ecr. region.amazonaws.com

A message is output as follows "Login Succeeded"

I've had a successful login to the dev account ecr with the main credentials.

After creating a docker image, docker push fails. This is probably because the temporary credential is wrong.

Incidentally, docker push succeeds when I login with -profile dev.

Expected behavior The following message should be printed "login failed due to inability to authenticate."

[tim-finnigan]

Hi @salt4040, thanks for reaching out. I wonder if your dev account just needs push permissions configured. I found a Premium Support article on this topic that might be helpful: https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/

Can you verify if the dev account has the necessary policy?

[ghost]

hi @tim-finnigan I can login to the dev account with -profile dev, and I can docker push. I don't have a problem with this. However, even the main account can log in to the development account ecr. You should not be able to login to a development account without -profile dev. To be precise, I can't log in, but it says login successful.

[tim-finnigan]

@salt4040 Ok I see thanks for clarifying that. Could you please provide the debug logs by adding --debug to that command? (With any sensitive information redacted.) That will help give us more insight into what’s going on. There might be something like a previously set environment variable that would explain this behavior.

[ghost]

`aws ecr get-login-password --region ap-northeast-1 --debug | docker login --username AWS --password-stdin "dev-account-id".dkr.ecr.ap-northeast-1.amazonaws.com 2021-12-17 11:22:00,650 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.4.6 Python/3.8.8 Darwin/21.2.0 exe/x86_64 2021-12-17 11:22:00,650 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['ecr', 'get-login-password', '--region', 'ap-northeast-1', '--debug'] 2021-12-17 11:22:00,699 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x7fcc004eea60> 2021-12-17 11:22:00,699 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x7fcc0820e0d0> 2021-12-17 11:22:00,699 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>> 2021-12-17 11:22:00,700 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7fcbe8c1e820> 2021-12-17 11:22:00,700 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x7fcbe8c27820> 2021-12-17 11:22:00,700 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function alias_opsworks_cm at 0x7fcc005024c0> 2021-12-17 11:22:00,700 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x7fcbe8c82e50> 2021-12-17 11:22:00,700 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>> 2021-12-17 11:22:00,700 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x7fcc004fb700> 2021-12-17 11:22:00,700 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/data/cli.json 2021-12-17 11:22:00,702 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x7fcbe8cb9940> 2021-12-17 11:22:00,702 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x7fcbe8cba4c0> 2021-12-17 11:22:00,702 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x7fcbe8cba430> 2021-12-17 11:22:00,703 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x7fcbe8cba5e0> 2021-12-17 11:22:00,703 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x7fcbe8cba550> 2021-12-17 11:22:00,703 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x7fcc00560c00> 2021-12-17 11:22:00,703 - MainThread - botocore.session - DEBUG - Setting config variable for region to 'ap-northeast-1' 2021-12-17 11:22:00,703 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.4.6 Python/3.8.8 Darwin/21.2.0 exe/x86_64 prompt/off 2021-12-17 11:22:00,703 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['ecr', 'get-login-password', '--region', 'ap-northeast-1', '--debug'] 2021-12-17 11:22:00,703 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x7fcc004f30d0> 2021-12-17 11:22:00,703 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x7fcbe8a9bf70> 2021-12-17 11:22:00,703 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x7fcbe8d495e0> 2021-12-17 11:22:00,704 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x7fcbe8a983a0> 2021-12-17 11:22:00,704 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x7fcbe8aff940> 2021-12-17 11:22:00,713 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/ 2021-12-17 11:22:00,721 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x7fcbe8c82d30> 2021-12-17 11:22:00,721 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x7fcc08208f70> 2021-12-17 11:22:00,760 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/ecr/2015-09-21/service-2.json 2021-12-17 11:22:00,765 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr: calling handler <function _inject_commands at 0x7fcc00428430> 2021-12-17 11:22:00,765 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr: calling handler <function add_waiters at 0x7fcc004fb700> 2021-12-17 11:22:00,802 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/ecr/2015-09-21/waiters-2.json 2021-12-17 11:22:00,804 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ecr_get-login-password: calling handler <function add_waiters at 0x7fcc004fb700> 2021-12-17 11:22:00,804 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env 2021-12-17 11:22:00,804 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role 2021-12-17 11:22:00,804 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity 2021-12-17 11:22:00,804 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso 2021-12-17 11:22:00,804 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file 2021-12-17 11:22:00,805 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials 2021-12-17 11:22:00,806 - MainThread - botocore.loaders - DEBUG - Loading JSON file: /usr/local/aws-cli/awscli/botocore/data/endpoints.json 2021-12-17 11:22:00,813 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x7fcc08438550> 2021-12-17 11:22:00,814 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.ecr: calling handler <function add_generate_presigned_url at 0x7fcbe85e2a60> 2021-12-17 11:22:00,857 - MainThread - botocore.endpoint - DEBUG - Setting api.ecr timeout as (60, 60) 2021-12-17 11:22:00,858 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.ecr.GetAuthorizationToken: calling handler <function base64_decode_input_blobs at 0x7fcbe8d49d30> 2021-12-17 11:22:00,858 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.ecr.GetAuthorizationToken: calling handler <function generate_idempotent_uuid at 0x7fcbe860f550> 2021-12-17 11:22:00,858 - MainThread - botocore.hooks - DEBUG - Event before-call.ecr.GetAuthorizationToken: calling handler <function inject_api_version_header_if_needed at 0x7fcbe8611dc0> 2021-12-17 11:22:00,858 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetAuthorizationToken) with params: {'url_path': '/', 'query_string': '', 'method': 'POST', 'headers': {'X-Amz-Target': 'AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken', 'Content-Type': 'application/x-amz-json-1.1', 'User-Agent': 'aws-cli/2.4.6 Python/3.8.8 Darwin/21.2.0 exe/x86_64 prompt/off command/ecr.get-login-password'}, 'body': b'{}', 'url': 'https://api.ecr.ap-northeast-1.amazonaws.com/', 'context': {'client_region': 'ap-northeast-1', 'client_config': <botocore.config.Config object at 0x7fcbe9180b50>, 'has_streaming_input': False, 'auth_type': None}} 2021-12-17 11:22:00,858 - MainThread - botocore.hooks - DEBUG - Event request-created.ecr.GetAuthorizationToken: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x7fcbe9180c10>> 2021-12-17 11:22:00,858 - MainThread - botocore.hooks - DEBUG - Event choose-signer.ecr.GetAuthorizationToken: calling handler <function set_operation_specific_signer at 0x7fcbe860f430> 2021-12-17 11:22:00,859 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth. 2021-12-17 11:22:00,859 - MainThread - botocore.auth - DEBUG - CanonicalRequest: POST /

content-type:application/x-amz-json-1.1 host:api.ecr.ap-northeast-1.amazonaws.com x-amz-date:20211217T022200Z x-amz-target:AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken

content-type;host;x-amz-date;x-amz-target 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a 2021-12-17 11:22:00,859 - MainThread - botocore.auth - DEBUG - StringToSign: AWS4-HMAC-SHA256 20211217T022200Z 20211217/ap-northeast-1/ecr/aws4_request 22e682431e3a358d5f2ca02a56e016d2daeb7e58e5980500305e535261a02109 2021-12-17 11:22:00,860 - MainThread - botocore.auth - DEBUG - Signature: xxxxxxxxx 2021-12-17 11:22:00,860 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=POST, url=https://api.ecr.ap-northeast-1.amazonaws.com/, headers={'X-Amz-Target': b'AmazonEC2ContainerRegistry_V20150921.GetAuthorizationToken', 'Content-Type': b'application/x-amz-json-1.1', 'User-Agent': b'aws-cli/2.4.6 Python/3.8.8 Darwin/21.2.0 exe/x86_64 prompt/off command/ecr.get-login-password', 'X-Amz-Date': b'20211217T022200Z', 'Authorization': b'AWS4-HMAC-SHA256 Credential="main-account-aws_access_key_id"/20211217/ap-northeast-1/ecr/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=xxxxxxxx', 'Content-Length': '2'}> 2021-12-17 11:22:00,860 - MainThread - botocore.httpsession - DEBUG - Certificate path: /usr/local/aws-cli/awscli/botocore/cacert.pem 2021-12-17 11:22:00,860 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): api.ecr.ap-northeast-1.amazonaws.com:443 2021-12-17 11:22:01,051 - MainThread - urllib3.connectionpool - DEBUG - https://api.ecr.ap-northeast-1.amazonaws.com:443 "POST / HTTP/1.1" 200 2630 2021-12-17 11:22:01,051 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amzn-RequestId': '43d94ffc-2e91-4495-8a54-f73cf9d169be', 'Date': 'Fri, 17 Dec 2021 02:22:01 GMT', 'Content-Type': 'application/x-amz-json-1.1', 'Content-Length': '2630'} 2021-12-17 11:22:01,052 - MainThread - botocore.parsers - DEBUG - Response body: b'{"authorizationData":[{"authorizationToken":"xxxxxxxxxxx","expiresAt":1.639750921109E9,"proxyEndpoint":"https://"main-account-id".dkr.ecr.ap-northeast-1.amazonaws.com"}]}' 2021-12-17 11:22:01,052 - MainThread - botocore.hooks - DEBUG - Event needs-retry.ecr.GetAuthorizationToken: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x7fcbe91c46a0>> 2021-12-17 11:22:01,053 - MainThread - botocore.retries.standard - DEBUG - Not retrying request. 2021-12-17 11:22:01,053 - MainThread - botocore.hooks - DEBUG - Event after-call.ecr.GetAuthorizationToken: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x7fcbe91c4220>> Login Succeeded`

[ghost]

I entered the command to log in to the dev account, but it looks like I'm logged in to the main account.

[tim-finnigan]

Hi @salt4040, thanks for following up. In the AWS CLI documentation for get-login-password it says:

The following get-login-password displays a password that you can use with a container client of your choice to authenticate to any Amazon ECR registry that your IAM principal has access to.

This documentation in the User Guide expands a bit more on the role of an authorization token in this process: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html#registry-auth-token

So as long as your IAM principal has access to an ECR registry then being able to authenticate to it seems like the expected behavior. Please let me know if I'm misunderstanding anything about your workflow here.

[ghost]

Thanks for the comment. I read it. I tried everything and found that there was nothing wrong with get-login-password.

I think docker login is wrong.

I found out that even a random account like the one below will show a successful login. docker login --username AWS --password-stdin 111111111111.dkr.ecr.ap-northeast-1.amazonaws.com If it is a number and a letter, it will say that the login was successful.

I'll ask the docker cli.

Thank you for your kind attention.

[tim-finnigan]

Hi @salt4040, ok thanks for letting me know. I’m going to go ahead and close this but please let us know if you find anything out from the Docker CLI regarding this.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.