Amazon ECS private DockerHub repo: Unable to decode provided docker credentials error

Question

I have a private repository on DockerHub which I am trying to deploy with ECS. I always get the following error:

Unable to decode provided docker credentials module="ecs credentials" type="dockercfg"

or if I try with type docker:

Unable to decode provided docker credentials module="ecs credentials" type="docker"

I have tried all possibilities mentioned on the ECS developer forums.

I tried:

ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGINE_AUTH_DATA='{"https://index.docker.io/v1/":{"auth":"<token>","email":"<email>"}}'

I also tried:

ECS_ENGINE_AUTH_TYPE=docker
ECS_ENGINE_AUTH_DATA='{"https://index.docker.io/v1/":{"username":"<username>","password":"<password>","email":"<email>"}}'

And also (because of the docs at https://godoc.org/github.com/aws/amazon-ecs-agent/agent/engine/dockerauth):

ECS_ENGINE_AUTH_TYPE=docker
ECS_ENGINE_AUTH_DATA='{"https://index.docker.io/v1/<username>":{"username":"<username>","password":"<password>","email":"<email>"}}'

I also tried without the '' and with "" around the JSON.. same effect. I always get the same error.

I should add I am getting ecs.config from an S3 container which works fine. I have also retyped the file manually in case there is some dubious formatting when the file is downloaded (though I don't see how this can be the case as the S3 file comes as a byte stream).

If I SSH into the instance and do the following:

docker login --username=<username> --password=<password> --email=<email>

I can then pull the image succesfully: docker pull A/B:latest

However, even after I log in (and therefore docker generates the ~/.docker/config.json file), I still get the same error from ECS.

I should mention all operations in changing the ecs.config file were done as follow:

1. Change number of tasks to 0
2. Wait to finish
3. sudo stop ecs
4. Change config file
5. sudo start ecs
6. Change number of tasks to 1

Repeat...

It is getting very frustrating.. How should this work or how has it changes since the documentation was written?

Any help would be appreciated.

EDIT

I also tried setting the docker auth in the JSON config file in /etc/ecs/ecs.config.json:

{
        "EngineAuthType": "docker",
        "EngineAuthData": {
                "https://index.docker.io/v1/": {
                        "username": "<me>",
                        "password": "<password>",
                        "email": "<email>"
                }
        }
}

The JSON configuration for this is described here: https://godoc.org/github.com/aws/amazon-ecs-agent/agent/config. It is also mentioned in the code comments here: https://github.com/aws/amazon-ecs-agent/blob/b197eddd9d5272eeac7dddaa2a84cc4c85522354/agent/engine/dockerauth/doc.go

More specifically:

These keys may be set by either setting the environment variables "ECS_ENGINE_AUTH_TYPE" and "ECS_ENGINE_AUTH_DATA" or by setting the keys "EngineAuthData" and "EngineAuthType" in the JSON configuration file located at the configured "ECS_AGENT_CONFIG_FILE_PATH" (see http://godoc.org/github.com/aws/amazon-ecs-agent/agent/config)

This is again, giving the same error ...

Answer 1

After spending some time looking through the code of the ECS agent (https://github.com/aws/amazon-ecs-agent) I realised where the problem is. The problem is in the email field which should be removed!

So, just to recap how to do this:

You need to follow the instructions here: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html.

However, all the examples there include the email field.

The ecs.config should look like this:

ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGINE_AUTH_DATA={"https://index.docker.io/v1/":{"auth":"<your auth token>"}}

To load the ecs.config from an S3 container when your instances are created follow this: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html, particularly the "To store an ecs.config file in Amazon S3" and "To load an ecs.config file from Amazon S3 at launch" headings.