`Authorization Token has expired` issue AWS-CLI on MacOS Sierra
Solution 1
Neither of solutions above worked for my but I found that when I set region in ecr login command it worked.
aws ecr get-login --region us-west-2
Solution 2
You might just be running the command and not pasting the command that is echo'd out from that command back into the terminal. Easy mistake to make. Once you run:
aws ecr get-login --no-include-email --region us-east-1
It will print out another command to run, you'll need to copy that command and run it in your terminal to authenticate fully.
Or a cool shortcut is to just pipe the echo'd command back into the shell with:
aws ecr get-login --no-include-email --region us-east-1 | sh
Solution 3
Latest versions of Docker use a new credentials storage feature which has a bug where doing a docker login
with a URL that specifies a protocol will result in token expiration errors. This issue will be fixed in Docker 1.13.
For the time being, the workaround is to execute your login commands without specifying the protocol.
So in the command blob returned by aws ecr get-login
:
docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
Should be replaced with this:
docker login -u AWS -p AQECAHh....b6Wk -e none 1234567890.dkr.ecr.eu-west-1.amazonaws.com
Omitting the https://
should make docker work for the time being.
Solution 4
This answer worked for me using the AWS CLI v2.0.26
https://github.com/aws/aws-cli/issues/4962#issuecomment-592064025
aws --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com
where us-west-2 is your region and the xxxxxxxxxxxxxx is your account ID found at the beginning of the line below "Repository Name" here: https://us-west-2.console.aws.amazon.com/ecr/create-repository?region=us-west-2
Solution 5
You need to refresh your authorization token every 12 hours try:
$(aws ecr get-login --no-include-email --region us-east-1)
- change region according to your configuration
Comments
-
Ludo - Off the record almost 2 years
I'm trying to push a docker image to the AWS ECR repository using the aws-cli.
- I just run the
get-login
command - execute the output (which returns
login succeeded
) - then try to push a docker image then I get the
message:
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
I don't know whats going wrong, I'm pushing to the right repo, the time on my mac is correct. This was working before, but since I reinstalled my mac and upgraded to macOS Sierra it's not working anymore, so probably related to that.
My
aws --version
output:aws-cli/1.11.34 Python/2.7.10 Darwin/16.3.0 botocore/1.4.91
The complete output of the commands I run:
$ aws ecr get-login --region eu-west-1 docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com $ docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com Flag --email has been deprecated, will be removed in 1.13. Login Succeeded $ docker push 1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web:latest The push refers to a repository [1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web] c1f87971dfa9: Preparing 2eb644aea3de: Preparing 9c8843ffe48e: Preparing 39bb58d049d4: Preparing f053bc969599: Preparing 7169084246b8: Waiting bb134a1936fd: Waiting 184e76848a1c: Waiting 75c8fcf65748: Waiting eb9b9ee1ea58: Waiting f4bf35723edd: Waiting ddffe1a64b3c: Waiting fd1a1154db16: Waiting b542e946067a: Waiting d49ed2a5e1ed: Waiting bb39b980367a: Waiting 25b8358d062f: Waiting 997eee521fc7: Waiting 50b5447183a8: Waiting 4339b5cb0e1d: Waiting 3dbd4a53b21b: Waiting 2bec16216500: Waiting b9fd8e264df6: Waiting b6ca02dfe5e6: Waiting denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.
- I just run the
-
Ludo - Off the record over 7 yearsRemoving the scheme didn't work. When I removed it it didn't login at all, it just hangs. I also tried adding http:// instead of https:// but also didn't work, and tried to add :443 instead of the https:// scheme, but no luck.
-
Serandel over 7 yearsIt doesn't work for me, with Docker 1.13 on Ubuntu Yakkety. Removing "https://" makes no difference, it says it succeeded but causes the same error when pushing. :(
-
mdjnewman over 7 yearsThis fixed things for me with docker-machine on OS X, client & server version 1.12.6. Thanks!
-
mmla about 7 yearsDid not work for me using the latest Docker Toolbox. (v1.13.1)
-
mattmc about 7 yearsThanks this worked for me. In my deployment script I did the following: aws_login=$(aws ecr get-login) aws_login=${aws_login//https:\/\//}
-
mjalajel almost 7 yearsI'm facing the same problem with elastic beanstalk. When I ssh into the instance and remove 'https://', it works (however elastic beanstalk doesn't persist changes made during an ssh session). Do you know of any method to fix this long-term on beanstalk? Full details: forums.aws.amazon.com/message.jspa?messageID=782827
-
saikarthik parachi almost 7 yearsThis worked for me too. Setting the region did not work as told by Kamil.
-
Tamás Sengel over 6 yearsThis does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
-
Nik over 6 yearsThanks for the feedback. Updated my answer. Hope now it's clear.
-
Malvineous over 6 yearsThis solved it for me too. I think the reason in my case was that the ECR I was trying to push to was in a different region to what my default was in
~/.aws/config
. -
johnsam over 6 yearsThat worked. I had a duplicate entry for the same region. which probably caused Docker to confuse.
-
MarzSocks over 6 yearsWhilst this gives you a token, the token is only valid for 12 hours. Which is not good for CI. Is there a way to increase the expiry of the token?
-
Ludo - Off the record about 6 yearsit should be either "-p <profilename>" or "--profile <profilename>" and not --p like you suggest.
-
Steffen Opel almost 5 yearsGiven the AWS CLI needs to call the GetAuthorizationToken API action, this doesn't seem to make sense, and I'm unable to reproduce this accordingly, are you? When I deliberately invalidate an access key by changing a character, the AWS CLI 1.16.190 yields the appropriately phrased error message
An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
. -
tavor999 over 4 yearsProfile was my issue too. after a long weekend, I forgot that I usually set an env variable and didn't realize that I had forgotten to do it again
-
olisteadman over 4 yearsFor me it was
us-west-1
at the end, instead ofus-west-2
, in line with the user credentials i'd submitted toaws configure
. -
Akif over 4 yearsYes, exactly! Actually
aws ecr get-login --no-include-email
just returns the command to login asdocker login -u AWS -p <token> <ecr_repo>
. In order to run the commandeval $(...)
is necessary. -
C8H10N4O2 about 4 yearsthis works but raises a warning "WARNING! Using --password via the CLI is insecure. Use --password-stdin."
-
Khoa almost 4 yearsaws-cli/v2 removed flag
--no-include-email
. In my case, I use ECR's TOKEN for Azure Pipeline CICD, it expires everyday that disturbs my CICD flow. Any idea for this case. -
Ashwani Agarwal almost 4 yearsWhat's the purpose of removing
-e none
? -
Joshua Wolff almost 4 yearsYou do not need to refresh your token every 12 hours
-
Joshua Wolff almost 4 yearsThe token is valid for 12 hours, but you do not need to refresh it manually every 12 hours. docs.aws.amazon.com/cli/latest/reference/ecr/…
-
Joshua Wolff almost 4 yearsget-login is deprecated. I added an updated answer here: stackoverflow.com/questions/41379808/…
-
Amit Gautam over 3 yearsThis worked like charm- I have docker-1.13.1-162 and this solution did the trick.
-
supernova over 3 yearsThis only works in CLI v1 and is not the preferred way going forward. Better use the
get-login-password
version which is available from 1.17.10. See docs.aws.amazon.com/cli/latest/userguide/… -
Brooks about 3 yearsThis worked for me. Docker desktop v.3.2.1
-
Navigatron about 3 yearsFor anyone using the above, you may need to change the
region
mentioned in the above command. -
Raptor almost 3 yearsShould be --no-include-email (2 dashes)
-
supernova almost 3 yearsFixed. Thanks for the feedback!
-
ritmatter over 2 yearsThis worked thanks
-
Vignesh over 2 years@Dakota Hipp it's working. Thanks for posting answer.
-
Dan almost 2 yearsWorked after updating the numeric value that is in the first part of the URI to match the one that applies for my ECR project
*****.dk.ecr.us-east-1.amazonaws.com