Logging in to ecr registry with python docker sdk doesn't work as expected

Question

Assuming I have gotten the ecr credentials from boto already in an object called creds, when I do:

client = from_env()
client.login(creds.username, password=creds.password, registry=creds.endpoint)

I get:

{u'IdentityToken': u'', u'Status': u'Login Succeeded'}

Great so far! And I inspect:

client.api.__dict__

I get:

{'_auth_configs': {'auths': {'registry_i_just_logged_into': {'email': None,
'password': 'xxxxxxxxxxxxx',
'serveraddress': 'registry_i_just_logged_into',
'username': 'xxxxxxx'},
u'some_other_registry': {},
'credsStore': u'osxkeychain'}
.... (etc, etc)

Still so far, so good. But when I then do:

client.images.pull("registry_i_just_logged_into/some_repo", tag="latest")

Or when I do (from a command line):

docker pull registry_i_just_logged_into/some_repo:latest

I always get:

Error response from daemon: pull access denied for some_repo, repository does not exist or may require 'docker login'

Despite the fact that, if I do (with the same username and password I used to log in):

client.images.pull("registry_i_just_logged_into/some_repo", tag="latest", auth_config={'username': creds.username, 'password': creds.password})

It works no problems.

So I am assuming this is a problem with the order for resolving which registry to use, but it seems like the docker sdk should handle this if the key already exists within _auth_configs.

What am I doing wrong?

Thanks!

Answer 1

Short: rm -rf ~/.docker/config.json

Long: Remove credsStore, auths and credSstore properties from ~/.docker/config.json

Explanation: Probably, you have already tried to login. So your Docker config.json has credsStore, auths and credSstore properties. E.g.:

  "credSstore" : "osxkeychain",
  "auths" : {
    "acc_id_1.dkr.ecr.us-east-1.amazonaws.com" : {

    },
    "acc_id_2.dkr.ecr.us-east-1.amazonaws.com" : {

    },
    "https://acc_id_1.dkr.ecr.us-east-1.amazonaws.com" : {

    },
    "https://acc_id_2.dkr.ecr.us-east-1.amazonaws.com" : {

    }
  },
  "HttpHeaders" : {
    "User-Agent" : "Docker-Client/18.06.1-ce (darwin)"
  },
  "credsStore" : "osxkeychain"
}

Answer 2

token = client.get_authorization_token() returns base64 encoded token. So to successfully login you need to decode it.

import docker
import boto3
import base64

docker_client = docker.from_env()
client = boto3.client('ecr', aws_access_key_id="xyz", aws_secret_access_key="abc", region_name="ap-south-1")
token = client.get_authorization_token()
docker_client.login(username="AWS", password=base64.b64decode(token["authorizationData"][0]["authorizationToken"]).decode().split(":")[1], registry="xxxx.dkr.ecr.ap-south-1.amazonaws.com")

will return

{'IdentityToken': '', 'Status': 'Login Succeeded'}