2

I have followed this post to try to download a Docker image from AWS ECR but I get the following errors:

If I do:

#!/bin/sh

repository="2xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/nexus-pro"
tag="2.13.0-np-1.0"

ecr_token=$(aws ecr get-authorization-token --output text --query authorizationData[].authorizationToken | cut -d: -f2)

docker_login=$(echo "{\"username\":\"AWS\",\"password\":\"${ecr_token}\", \"auth\":\"\",\"email\":\"none\"}" | base64)

curl -X POST -d "" -H "X-Registry-Auth: ${docker_login}" http://${ip_address}:4243/images/create?fromImage=${repository}&tag=${tag_source}

Then I get the following error:

$ error parsing HTTP 403 response body: invalid character 'Y' looking for beginning of value: "Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one."

Even though I just "requested" the token.

And if I do this:

#!/bin/sh

repository="2xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/nexus-pro"
tag="2.13.0-np-1.0"

ecr_token=$(aws ecr get-login | awk '{print ($6)}')

docker_login=$(echo "{\"username\":\"AWS\",\"password\":\"${ecr_token}\", \"auth\":\"\",\"email\":\"none\"}" | base64)

curl -X POST -d "" -H "X-Registry-Auth: ${docker_login}" http://${ip_address}:4243/images/create?fromImage=${repository}&tag=${tag_source}

I get the following error:

$ error parsing HTTP 404 response body: invalid character 'p' after top-level value: "404 page not found\n"

The image is on ECR and I can pull it if I do the docker login ... and then docker pull 2xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/nexus-pro:2.13.0-np-1.0

I'm not sure what I'm doing wrong here.. Any help is very much appreciated!

Community
  • 1
  • 1
Fadi
  • 1,329
  • 7
  • 22
  • 40

1 Answers1

2

Basic authentication is only supported over HTTPS. The docker client will not send basic auth headers when pushing/pulling on a registry over HTTP. This is done by design to prevent people sending their credentials over insecure channels. Using SSL should get rid of the issue.

Try using below:

https://${ip_address}:4243/images/create?fromImage=${repository}&tag=${tag_source}

Or enable a SSL certificate for the instance from where you are pulling the image. Tis might help you. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54
  • Hmm, I'm getting this error now: `curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol` – Fadi Jul 08 '16 at 14:31
  • Use this https://registry.hub.docker.com instead of https://${ip_address} – Piyush Patil Jul 08 '16 at 14:39
  • The `${ip_address}` is the instance that has Docker Engine installed.. It's _not_ the registry.. – Fadi Jul 08 '16 at 14:52
  • Ok then you have to get a SSL certificate for that instance because the basic authentication works only for Https. This might help you http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html – Piyush Patil Jul 08 '16 at 14:55
  • Are you sure because according to this post: http://stackoverflow.com/questions/24814714/docker-remote-api-pull-from-docker-hub-private-registry/24824171#24824171 the person has done it without https – Fadi Jul 08 '16 at 14:57
  • Check the comments for above question you mentioned it did not worked for them. – Piyush Patil Jul 08 '16 at 14:58
  • Thanks, hmm.. There's mention of allowing basic auth over HTTP.. I wonder if this has been implemented some how or not.. But anyway thanks for your help (I'm going to have to think of doing this from a different approach). – Fadi Jul 08 '16 at 15:12