Docker push to AWS ECR hangs immediately and times out

Question

I'm trying to push my first docker image to ECR. I've followed the steps provided by AWS and things seem to be going smoothly until the final push which immediately times out. Specifically, I pass my aws ecr credentials to docker and get a "login succeeded" message. I then tag the image which also works. pushing to the ecr repo I get no error message, just the following:

The push refers to repository [xxxxxxxxxxx.dkr.ecr.ca-central-1.amazonaws.com/reponame]
714c1b96dd83: Retrying in 1 second 
d2cdc77dd068: Retrying in 1 second 
30aad807caf5: Retrying in 1 second 
0559774c4ea2: Retrying in 1 second 
285b8616682f: Retrying in 1 second 
4aeea0ec2b15: Waiting 
1b1312f842d8: Waiting 
c310009e0ef3: Waiting 
a48777e566d3: Waiting 
2a0c9f28029a: Waiting 
EOF

It tries a bunch of times and then exits with no message. Any idea what's wrong?

Good answers below. But the causes may vary. Best to check CloudTrail — Nick Hargreaves, Aug 12 '22 at 13:50
FWIW, we're in the same situation, and I found nothing in CloudTrail signifying this error. — Matt, Sep 14 '22 at 23:31

score 144 · Accepted Answer · edited Jan 02 '22 at 14:23

144

I figured out my issue. I wasn't using the correct credentials. I had a personal AWS account as my default credentials and needed to add my work profile to my credentials.

EDIT
If you have multiple aws profiles, you can mention the profile name at the docker login as below (assuming you have done aws configure --profile someprofile at earlier day),

aws ecr get-login-password --region us-east-1 --profile someprofile | docker login ....

edited Jan 02 '22 at 14:23

TRiNE

5,020
1
29
42

answered Dec 22 '21 at 18:00

Jesse McMullen-Crummey

3,175
3
8
17

4

Had the same error but my problem was that the user didn't have the correct permissions. – Zoran Jan 04 '22 at 17:12
1

In my case, the AWS Account has ECR permission set to * (all). But I still face the issue – Ven Jan 09 '22 at 20:06
Finally, I figured out the issue. There are 2 things. One is AWS Login and the other one is ECR Login. For Pull, we need to do both for the Source and for Push, we need to do both for Target account. This solved the issue. Most disappointing part is where AWS CLI doesn't say that it is an authentication issue. – Ven Jan 10 '22 at 07:21
I was using aws sso login and my default account did not match the one where my ECR was located. – JohnOpincar Feb 24 '22 at 16:58
Yeah, my confusion came from, so in Harbor I create a repo like: harbor.mydomain.com/org, then push my image which will be under .../org/image, and this works. In AWS you do not set up .../org seperately, you need to do .../org/image-name as the name of the repository. CloudTrain, suggested by Alena below this answer solved it beautifully. – thenamewasmilo Mar 07 '22 at 13:01
Thank you, this was great clue to resolve my retrying issue. The role I was using did not have enough permissions. – Simon Jun 14 '22 at 11:01
My issue stems from an MFA restriction policy I set up that interrupted access to my repository. I'm not sure if anyone has encountered this issue – Hiram Sep 23 '22 at 19:25
In my case, the registry URL was bad. Check the accountID, the region and the repository name in the URL. – Salem May 01 '23 at 14:14

score 85 · Answer 2 · answered Jan 26 '22 at 11:59

85

You will get the same behaviour if you forget to create ECR repo before pushing.

Use CloudTrail to get a clue what is wrong.

answered Jan 26 '22 at 11:59

Alena Melnikova

931
7
9

I immediately feel stupid, but at least I can now push the image xD – David Jul 20 '22 at 22:39
Thanks, looking at CloudTrail helped me fix my issue. Indeed, `docker push...` does not return useful error messages. I understand it can't return AWS ECR internal error messages, because AWS shouldn't send them back. But at least, it could have said "we got a request denied error from the repo you tried to push at - check with them please" :) – tyrex Oct 03 '22 at 09:14
Also, you have to create the REPO as a PRIVATE REPOSITORY so the desired URI [xxxxxxxxxxx.dkr.ecr.ca-central-1.amazonaws.com/reponame] is mapped accordingly – Abhiram Satputé Nov 07 '22 at 13:24
So stupid, but even if you remember to create it, make sure you match your underscores, dashes, and stuff... can be easily overlooked. – Andrej Mohar Jan 23 '23 at 14:21
thank you. What a brain fart. – Karl Pokus Mar 26 '23 at 21:03
CloudTrail ended up revealing my issue as well, good recommendation. I specifically forgot to alter an IAM Policy to give access to the image, so it was erroring out due to permissions. – anden-akkio May 21 '23 at 00:17
Cloudtrail note was the answer; thanks for that. – Abraam Magued May 29 '23 at 10:03
Yeah using CloudTrail helps a lot, I had a "UploadLayerPart" event telling me I had the wrong naming for my ECR registry that wasn't showing anywhere else :) Thanks – Alex Jun 27 '23 at 13:16

score 38 · Answer 3 · edited Dec 15 '22 at 13:49

38

Make sure the name of your repository is the same name as your images. image:latest 756839881602.dkr.ecr.us-east-1.amazonaws.com/image:latest in this case my repository name is image and my image name is image as well. This worked for me.

edited Dec 15 '22 at 13:49

JasonAzze

103
4

answered Jun 09 '22 at 02:21

user19303171

381
3
2

2

This is what got me too. Strange how the ECR repository name has to be the same as the docker image name. – Magic Mick Sep 12 '22 at 06:00
4

a repository is for one image. The image you are pushing has to be tagged with the exact name of the repository. – Tim Richardson Sep 22 '22 at 00:01
1

This was my case, wasted so much time. – Yariv Levy Feb 20 '23 at 07:43
Same here - its strange that there is no feedback for this. Thankfully I checked CloudTrail, but still wasted a few hours... – Pythoner Mar 07 '23 at 21:17
1

This it what happented to mee too, and it is quite unintuitive for ECR "repository name" == "container image name" and that's not how docker works. `push` should be able to create images in a repo regardless its name. – theist Mar 12 '23 at 09:03

Kiryl Anokhin · Answer 4 · 2022-01-20T18:12:23.673

28

Also make sure that you have configured correct policy for your user — for example, AmazonEC2ContainerRegistryFullAccess.

edited Jan 20 '22 at 18:12

answered Jan 16 '22 at 19:18

Kiryl Anokhin

429
4
10

1

Just want to add that even with `ecr:*` the error on `docker push` after a successful login can be a `Retrying in x seconds`, then failing. Adding this Managed Policy solved the issue in my case. – thlik Apr 25 '23 at 10:27

score 17 · Answer 5 · answered Feb 20 '22 at 08:17

In my case, the repository I wanted to push to didn't exist (For example, I tried pushing to my-app/backend:latest but only the my-app/cms repository exists). So make sure your repository exists in the AWS ECR Console in the right region. The error returned from AWS CLI (EOF) didn't help at all.

aykcandem · Answer 6 · 2022-03-30T07:53:01.203

Check your aws permissions. In addition to AmazonEC2ContainerRegistryFullAccess permission, below actions has to be granted for the correct resource. Especially check "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}" part.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ],
      "Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}"
    },
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}

Giving `AmazonEC2ContainerRegistryFullAccess` will negate the need for the additional permissions listed here as its effect is to `Allow` the action `"ecr:*"` on resource `"*"`. — RianLauw, Jul 19 '22 at 22:34

score 12 · Answer 7 · answered Aug 22 '22 at 22:14

Assuming you authenticated successfully to AWS and you have permissions to read, write to ECR, check if the repository does exist

aws ecr describe-repositories --repository-name reponame

If you catch an error RepositoryNotFoundException, then you will create to that repository with the following command

aws ecr create-repository --repository-name reponame

After that, try to push again, it will be fine!

score 11 · Answer 8 · edited Jan 15 '23 at 04:26

11

I have to add for anyone else encountering this problem. Go to IAM and make sure you have put permissions. I don't want to say how long I wasted before figuring that out.

Edit to help @zac's answer: The policies that need to be attached are AmazonEC2ContainerRegistryFullAccess and AWSAppRunnerServicePolicyForECRAccess

edited Jan 15 '23 at 04:26

AJB

7,389
14
57
88

answered Jan 07 '22 at 17:00

Zac Rogerson

111
2

3

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 07 '22 at 22:11
Can you please elaborate? I am having the same issue. In my case, the AWS Account has ECR permission set to * (all). But I still face the issue. – Ven Jan 09 '22 at 20:05
Finally, I figured out the issue. There are 2 things. One is AWS Login and the other one is ECR Login. For Pull, we need to do both for the Source and for Push, we need to do both for Target account. This solved the issue. Most disappointing part is where AWS CLI doesn't say that it is an authentication issue – Ven Jan 10 '22 at 07:21
@ven can you please elaborate more regarding AWS login and ECR login? – Reighend Jan 20 '22 at 05:23

Stefan Eilers · Answer 9 · 2022-01-25T15:31:16.217

11

In my case it was related to MFA (Multi-Factor-Authentication). I had to create a session token. The docker login seemed to be successful, but pushing does not work.

The following script is doing all for you and creates a aws profile "mfa" used to login: get_mfa_credentials.py

After executing, you can login with:

aws ecr get-login-password --region <YOUR_REGION> --profile mfa | docker login --username AWS --password-stdin <Your_REPO>

I do not know who wrote it, but I'm very grateful to this guy.

And thanks to AWS for bad tools that do not help.

edited Jan 25 '22 at 15:31

answered Jan 25 '22 at 15:18

Stefan Eilers

111
4

1

This should be more upvoted, if you dont want any script, you can do it manually following this tutorial https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ which is from amazon itself. After configuring the `mfa` profile just log in into docker – Alejandro Barone Sep 23 '22 at 22:55
This doesn't work if you use a hardware security key. In my case the easiest solution was to create a new AWS user just for ECR access. – Mihail Marinov May 26 '23 at 11:01

score 6 · Answer 10 · answered Jul 03 '22 at 13:13

6

For those who tried the solution above, and it didn't work, make sure the image name your are pushing is the same as the repository name.

answered Jul 03 '22 at 13:13

whatspoppin

353
4
14

score 6 · Answer 11 · answered Aug 12 '22 at 09:58

6

Ensure you are using the correct profile and that the repository exists

Command to login with profile: aws ecr get-login-password --region <region> --profile=<profile-name> | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.eu-west-1.amazonaws.com

Command to create repo if it does not exists: aws ecr describe-repositories --repository-names ${REPO_NAME} || aws ecr create-repository --repository-name ${REPO_NAME}(source)

answered Aug 12 '22 at 09:58

Stian

1,221
1
19
26

1

In my case, I misunderstood that ECR is different from repository. I used to push on GCP without creating repo. but ECR does not create automatically repository if not exists.https://github.com/aws/containers-roadmap/issues/853 – Nicolas Roux Oct 14 '22 at 05:11

score 4 · Answer 12 · answered Feb 02 '22 at 13:50

I also was able to login to the registry, yet the pushing of the image would just timeout.

The solution for me was to add AmazonEC2ContainerRegistryFullAccess to my IAM user.

After adding that permission to my IAM user account, I could docker push to the ECS registry just fine.

score 3 · Answer 13 · answered Mar 08 '23 at 10:33

3

The issue was resolved, when I created the docker repository first (in ECR) and then pushed it to ECR. Remember to create the docker repository, before running the docker push command.

answered Mar 08 '23 at 10:33

Roopesh

31
3

score 2 · Answer 14 · answered May 27 '23 at 13:52

For me, I misconfigured the tag name like this:

$ docker tag <image_name>:latest xxxxxxxxxxx.dkr.ecr.ca-central-1.amazonaws.com/reponame/<additional_string>:latest
$ docker push xxxxxxxxxxx.dkr.ecr.ca-central-1.amazonaws.com/reponame/<additional_string>:latest
...timeout...

And I found the <additional_string> should be deleted:

$ docker tag <image_name>:latest xxxxxx.amazonaws.com/reponame:latest
$ docker push xxxxxx.amazonaws.com/reponame:latest
...success!...

score 1 · Answer 15 · answered Feb 07 '22 at 01:41

If anyone is still stuck with the issue. I would highly recommend watching this short vid https://www.youtube.com/watch?v=89ZeXaZEf80&ab_channel=IdenticalCloud

Here are the steps I took to fix the issue (if you prefer not to watch the video):

Create a new IAM user with "Access keys" checked
Under permissions, click on "attach existing policies directly" and choose "AmazonEC2ContainerRegistryFullAccess"
Download the CSV file
Run "AWS configure" on your terminal and pass in the credentials from the CSV file
Set the location to the location you created your ECR (mine was us-east-1)
Go to ECR and follow the steps to push the image

score 1 · Answer 16 · edited Apr 06 '22 at 05:48

Please check cloud trail event logs , this is where all the api issues are clearly highlighted .

In my case it was because i had a - in my image name and hence it was throwing the following error in the cloud trail logs

"The repository with name 'myimage-nginx' does not exist in the registry with id '516583196897'

Please note the - in the image name.

Fixing the image name to remove the - resolved the issue for me.

Commands

docker tag nginx:latest 516583196897.dkr.ecr.ap-south-1.amazonaws.com/myimage:latest

docker push 516583196897.dkr.ecr.ap-south-1.amazonaws.com/myimage:latest

score 0 · Answer 17 · answered Jan 16 '22 at 17:51

0

For me, I had to delete the stack and re-deploy the stack. Then, I was able to push the docker image to ECR.

answered Jan 16 '22 at 17:51

0.618

1
1

score 0 · Answer 18 · answered Apr 13 '22 at 17:34

0

In my case I was creating the repo in us-east-2 and attempting to push to us-east-1, so docker couldn't find it.

answered Apr 13 '22 at 17:34

alf

18,372
10
61
92

score 0 · Answer 19 · answered Aug 10 '22 at 06:13

0

Make sure your assumed aws role has the ability to push images to AWS ECR. Easiest is to check the role via the command:

aws sts get-caller-identity --profile=saml

answered Aug 10 '22 at 06:13

Bhaskar Reddy

81
1
6

score 0 · Answer 20 · answered Dec 22 '22 at 14:35

I was following this documentation and hit this error. What addressed the problem was using the repository id instead of the account name.

aws ecs create-repository creates a repo, returning a repositoryUri. Then, the docker login, docker tag and docker push should be done using that repository url instead of the user one.

score 0 · Answer 21 · answered Jan 06 '23 at 06:10

0

I had this problem with sam deploy

sam delete --stack-name ...
sam deploy --guided

worked for me

answered Jan 06 '23 at 06:10

Elia Weiss

8,324
13
70
110

score 0 · Answer 22 · answered May 04 '23 at 20:26

Haven't found any solution?

Maybe you are falling in the use case I had.

identifiers:

You working on different AWS accounts on the same terminal.
When jumping between AWS accounts, you're using export AWS_PROFILE (directly or via some tool or command) in the terminal level to export the profile.
You are able to push sometimes, and sometimes not.
You do manage to login with aws ecr get-login-password.

What was the cause?

When I switched between AWS accounts, although I had a valid session token for each account, BUT I forgot sometimes to export AWS_PROFILE back the relevant profile.

score 0 · Answer 23 · answered Aug 20 '23 at 13:12

0

In my case, it was a configuration issue, aws cli was configured for my other aws account and i was trying to push my image in my mother account

Figured it out with aws configure, and changed the necessary credentials.

answered Aug 20 '23 at 13:12

Aayush Mohta

46
7

score 0 · Answer 24 · answered Aug 31 '23 at 09:10

In my case I didn't specify a region in my policy:

- Effect: Allow
  Action:
    - ecr:*
  Resource: !Sub "arn:aws:ecr::${AWS::AccountId}:repository/my-image"

Should be:

- Effect: Allow
  Action:
    - ecr:*
  Resource: !Sub "arn:aws:ecr:eu-central-1:${AWS::AccountId}:repository/my-image"

score -1 · Answer 25 · answered Jul 11 '23 at 13:55

The easiest way I have found is. Go to the console and create a repository. Click on the created repo to see the view push commands button. click and it will list all commands you need to build and push the image into the repo. you don't need to do any changes.

Docker push to AWS ECR hangs immediately and times out

25 Answers25

Commands

Linked