`Authorization Token has expired` issue AWS-CLI on MacOS Sierra

I'm trying to push a docker image to the AWS ECR repository using the aws-cli.

• I just run the get-login command
• execute the output (which returns login succeeded)
• then try to push a docker image then I get the message:
  denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.

I don't know whats going wrong, I'm pushing to the right repo, the time on my mac is correct. This was working before, but since I reinstalled my mac and upgraded to macOS Sierra it's not working anymore, so probably related to that.

My aws --version output:

aws-cli/1.11.34 Python/2.7.10 Darwin/16.3.0 botocore/1.4.91

The complete output of the commands I run:

$ aws ecr get-login --region eu-west-1
docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
$ docker login -u AWS -p AQECAHh....b6Wk -e none https://1234567890.dkr.ecr.eu-west-1.amazonaws.com
Flag --email has been deprecated, will be removed in 1.13.
Login Succeeded
$ docker push 1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web:latest
The push refers to a repository [1234567890.dkr.ecr.eu-west-1.amazonaws.com/service-web]
c1f87971dfa9: Preparing 
2eb644aea3de: Preparing 
9c8843ffe48e: Preparing 
39bb58d049d4: Preparing 
f053bc969599: Preparing 
7169084246b8: Waiting 
bb134a1936fd: Waiting 
184e76848a1c: Waiting 
75c8fcf65748: Waiting 
eb9b9ee1ea58: Waiting 
f4bf35723edd: Waiting 
ddffe1a64b3c: Waiting 
fd1a1154db16: Waiting 
b542e946067a: Waiting 
d49ed2a5e1ed: Waiting 
bb39b980367a: Waiting 
25b8358d062f: Waiting 
997eee521fc7: Waiting 
50b5447183a8: Waiting 
4339b5cb0e1d: Waiting 
3dbd4a53b21b: Waiting 
2bec16216500: Waiting 
b9fd8e264df6: Waiting 
b6ca02dfe5e6: Waiting 
denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.

Removing the scheme didn't work. When I removed it it didn't login at all, it just hangs. I also tried adding http:// instead of https:// but also didn't work, and tried to add :443 instead of the https:// scheme, but no luck.

It doesn't work for me, with Docker 1.13 on Ubuntu Yakkety. Removing "https://" makes no difference, it says it succeeded but causes the same error when pushing. :(

This fixed things for me with docker-machine on OS X, client & server version 1.12.6. Thanks!

Did not work for me using the latest Docker Toolbox. (v1.13.1)

Thanks this worked for me. In my deployment script I did the following: aws_login=$(aws ecr get-login) aws_login=${aws_login//https:\/\//}

I'm facing the same problem with elastic beanstalk. When I ssh into the instance and remove 'https://', it works (however elastic beanstalk doesn't persist changes made during an ssh session). Do you know of any method to fix this long-term on beanstalk? Full details: forums.aws.amazon.com/message.jspa?messageID=782827

This worked for me too. Setting the region did not work as told by Kamil.

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review

Thanks for the feedback. Updated my answer. Hope now it's clear.

This solved it for me too. I think the reason in my case was that the ECR I was trying to push to was in a different region to what my default was in ~/.aws/config.

That worked. I had a duplicate entry for the same region. which probably caused Docker to confuse.

Whilst this gives you a token, the token is only valid for 12 hours. Which is not good for CI. Is there a way to increase the expiry of the token?

it should be either "-p <profilename>" or "--profile <profilename>" and not --p like you suggest.

Given the AWS CLI needs to call the GetAuthorizationToken API action, this doesn't seem to make sense, and I'm unable to reproduce this accordingly, are you? When I deliberately invalidate an access key by changing a character, the AWS CLI 1.16.190 yields the appropriately phrased error message An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid..

Profile was my issue too. after a long weekend, I forgot that I usually set an env variable and didn't realize that I had forgotten to do it again

For me it was us-west-1 at the end, instead of us-west-2, in line with the user credentials i'd submitted to aws configure.

Yes, exactly! Actually aws ecr get-login --no-include-email just returns the command to login as docker login -u AWS -p <token> <ecr_repo>. In order to run the command eval $(...) is necessary.

this works but raises a warning "WARNING! Using --password via the CLI is insecure. Use --password-stdin."

aws-cli/v2 removed flag --no-include-email. In my case, I use ECR's TOKEN for Azure Pipeline CICD, it expires everyday that disturbs my CICD flow. Any idea for this case.

What's the purpose of removing -e none?

You do not need to refresh your token every 12 hours

The token is valid for 12 hours, but you do not need to refresh it manually every 12 hours. docs.aws.amazon.com/cli/latest/reference/ecr/…

get-login is deprecated. I added an updated answer here: stackoverflow.com/questions/41379808/…

This worked like charm- I have docker-1.13.1-162 and this solution did the trick.

This only works in CLI v1 and is not the preferred way going forward. Better use the get-login-password version which is available from 1.17.10. See docs.aws.amazon.com/cli/latest/userguide/…

This worked for me. Docker desktop v.3.2.1

For anyone using the above, you may need to change the region mentioned in the above command.

Should be --no-include-email (2 dashes)

Fixed. Thanks for the feedback!

This worked thanks

@Dakota Hipp it's working. Thanks for posting answer.

Worked after updating the numeric value that is in the first part of the URI to match the one that applies for my ECR project *****.dk.ecr.us-east-1.amazonaws.com