AWS ECR Login Failure

[kedarparallel]

Expected behavior

• I want to login to AWS ECR registry from bash script using one of the following option:

1. eval $(aws ecr get-login --no-include-email --region ${aws_ecr_region})
2. TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken') docker login -u AWS -p ${TOKEN} http://${aws_container_registry_name}
3. echo "$(aws ecr get-authorization-token --region ${aws_ecr_region} --output text --query 'authorizationData[].authorizationToken' | base64 -d | cut -d: -f2) | docker login -u AWS https://${aws_container_registry_name} --password-stdin"

Actual behavior

All 3 of the options mentioned above give error:

Error response from daemon: login attempt to https://XXXXXX.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 400 Bad Request

However, if I simply copy paste these commands(after substituting variables) and manually execute, all of them work fine.

Information

• docker version : Docker version 18.09.1, build 4c52b90
• aws version: aws-cli/1.16.96 Python/2.7.5 Linux/4.9.127-32.el7.x86_64 botocore/1.12.86
• I went through these https://github.com/docker/for-win/issues/653, https://github.com/docker/for-mac/issues/523, https://stackoverflow.com/questions/50203159/aws-ecr-login-with-javascript-sdk-no-include-email-flag and none of the solutions helped.
• Running script from CentOS7

Steps to reproduce the behavior

1. eval $(aws ecr get-login --no-include-email --region ${aws_ecr_region}) from within script or 1 or 2 mentioned in 'Expected Behaviour'

[kedarparallel]

Running bash script in debug mode helped me solve issue. If you just run eval $(aws ecr get-login --no-include-email --region ${aws_ecr_region}) for some reason between password and ecr name it adds 3 spaces while you actually need ==

So I replaced it with following code:

cmd=$(aws ecr get-login --no-include-email --region ${aws_ecr_region})
spaces="   "
equals="=="
eval "${cmd/$spaces/$equals}"