Is access to api.ecr-public.us-east-1.amazonaws.com required for this thing to work?

[danwashusen]

We are attempting to use ecr-login in a locked down network and despite configuring the AWS region in every pace I can think of (AWS_REGION, AWS_DEFAULT_REGION, ~/.aws/config) it always tries to connect to api.ecr-public.us-east-1.amazonaws.com.

Also please add some better debug loging... ecr-login get just hangs with ZERO output or logs...

2022-06-27T01:23:05.000000+00:00 /aws/network-firewall/alert/ops-vpc-firewall_2022-06-27-01 {"firewall_name":"ops-vpc-firewall","availability_zone":"ap-southeast-2a","event_timestamp":"1656292985","event":{"timestamp":"2022-06-27T01:23:05.662689+0000","flow_id":XYZ,"event_type":"alert","src_ip":"10.10.11.239","src_port":46724,"dest_ip":"52.46.155.103","dest_port":443,"proto":"TCP","alert":{"action":"blocked","signature_id":40,"rev":1,"signature":"not matching any TLS allowlisted FQDNs","category":"","severity":1},"tls":{"sni":"api.ecr-public.us-east-1.amazonaws.com","version":"UNDETERMINED","ja3":{},"ja3s":{}},"app_proto":"tls"}}

time="2022-06-27T01:22:44Z" level=debug msg="Listing credentials"
time="2022-06-27T01:22:44Z" level=debug msg="Checking file cache" registry=
time="2022-06-27T01:22:44Z" level=debug msg="Calling ECR.GetAuthorizationToken for default registry"
time="2022-06-27T01:22:44Z" level=debug msg="Saving credentials to file cache" registry=111111 service=ecr
time="2022-06-27T01:22:44Z" level=debug msg="Checking file cache for ECR Public"
time="2022-06-27T01:23:15Z" level=debug msg="couldn't get authorization token for public registry" error="ecr: failed to get authorization token: operation error ECR PUBLIC: GetAuthorizationToken, exceeded maximum number of attempts, 3, https response error StatusCode: 0, RequestID: , request send failed, Post \"https://api.ecr-public.us-east-1.amazonaws.com/\": net/http: TLS handshake timeout"

Does this thing require access to US-EAST-1 to work?

[andrericardo]

+1 for hanging without any output or logs...