Get-login deprecated

faberfedor · November 10, 2020, 7:45pm

FYI, peeps. The example given on page 42:

$(aws ecr get-login --no-include-email)

is deprecated (actually, disabled) as of Docker 17.xx. I ended up using this to login:

docker login -u AWS -p $(aws ecr get-login-password --profile default) repo_name

michael · November 11, 2020, 7:14am

Hi @faberfedor
you run the commands outside of the temporary working environment we provide, right?

I can also find the following example in the docs:

aws ecr get-login-password \
| docker login \
    --username AWS \
    --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com

Not sure if there are advantages over one of the two solutions?

michael · November 11, 2020, 7:26am

btw: can you post the error message? I don’t see any difference in your command and the command that is executed when running aws ecr get-login --no-include-email

faberfedor · November 11, 2020, 4:45pm

Sure thing:

[faber@Fabers-MacBook-Air dashboard-apis (rapid_docker)] 2020-11-11 11:43:40$ aws ecr get-login --no-include-email
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:

batch-check-layer-availability           | batch-delete-image
batch-get-image                          | complete-layer-upload
create-repository                        | delete-lifecycle-policy
delete-repository                        | delete-repository-policy
describe-image-scan-findings             | describe-images
describe-repositories                    | get-authorization-token
get-download-url-for-layer               | get-lifecycle-policy
get-lifecycle-policy-preview             | get-repository-policy
initiate-layer-upload                    | list-images
list-tags-for-resource                   | put-image
put-image-scanning-configuration         | put-image-tag-mutability
put-lifecycle-policy                     | set-repository-policy
start-image-scan                         | start-lifecycle-policy-preview
tag-resource                             | untag-resource
upload-layer-part                        | get-login-password
wait                                     | help

Googling led me to this page: https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login.html

faberfedor · November 11, 2020, 6:55pm

Yes, I am running it locally in my Mac environment.

The docs mention that using get-login-password will make your password visible to other users on your machine and the get-authorization-token should be used instead. I’ll be looking into that later today.

michael · November 12, 2020, 12:26pm

From the get-authorization-token docs:

The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. The AWS CLI offers an get-login-password command that simplifies the login process

Bottom line is:

The deprecation is not related to Docker, it is related to the AWS CLI
We should switch from $(aws ecr get-login --no-include-email) to aws ecr get-login-password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

system · November 26, 2020, 12:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

michael · February 16, 2021, 10:04am

We updated the ebook and code examples to use the new aws ecr get-login-password | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com approach!