码头推到 AWS ECR 立即挂起和超时

I figured out my issue. I wasn't using the correct credentials. I had a personal AWS account as my default credentials and needed to add my work profile to my credentials.

EDIT
If you have multiple aws profiles, you can mention the profile name at the docker login as below (assuming you have done aws configure --profile someprofile at earlier day),

aws ecr get-login-password --region us-east-1 --profile someprofile | docker login ....

I have to add for anyone else encountering this problem. Go to IAM and make sure you have put permissions. I don't want to say how long I wasted before figuring that out.

For me, I had to delete the stack and re-deploy the stack. Then, I was able to push the docker image to ECR.

Also make sure that you have configured correct policy for your user — for example, AmazonEC2ContainerRegistryFullAccess.

In my case it was related to MFA (Multi-Factor-Authentication). I had to create a session token. The docker login seemed to be successful, but pushing does not work.

The following script is doing all for you and creates a aws profile "mfa" used to login: get_mfa_credentials.py

After executing, you can login with:

aws ecr get-login-password --region <YOUR_REGION> --profile mfa | docker login --username AWS --password-stdin <Your_REPO>

I do not know who wrote it, but I'm very grateful to this guy.

And thanks to AWS for bad tools that do not help.

You will get the same behaviour if you forget to create ECR repo before pushing.

Use CloudTrail to get a clue what is wrong.

I also was able to login to the registry, yet the pushing of the image would just timeout.

The solution for me was to add AmazonEC2ContainerRegistryFullAccess to my IAM user.

After adding that permission to my IAM user account, I could docker push to the ECS registry just fine.

If anyone is still stuck with the issue. I would highly recommend watching this short vid https://www.youtube.com/watch?v=89ZeXaZEf80&ab_channel=IdenticalCloud

Here are the steps I took to fix the issue (if you prefer not to watch the video):

1. Create a new IAM user with "Access keys" checked
2. Under permissions, click on "attach existing policies directly" and choose "AmazonEC2ContainerRegistryFullAccess"
3. Download the CSV file
4. Run "AWS configure" on your terminal and pass in the credentials from the CSV file
5. Set the location to the location you created your ECR (mine was us-east-1)
6. Go to ECR and follow the steps to push the image

In my case, the repository I wanted to push to didn't exist (For example, I tried pushing to my-app/backend:latest but only the my-app/cms repository exists). So make sure your repository exists in the AWS ECR Console in the right region. The error returned from AWS CLI (EOF) didn't help at all.

Check your aws permissions. In addition to AmazonEC2ContainerRegistryFullAccess permission, below actions has to be granted for the correct resource. Especially check "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}" part.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}

Please check cloud trail event logs , this is where all the api issues are clearly highlighted .

In my case it was because i had a - in my image name and hence it was throwing the following error in the cloud trail logs

"The repository with name 'myimage-nginx' does not exist in the registry with id '516583196897'

Please note the - in the image name.

Fixing the image name to remove the - resolved the issue for me.

Commands

docker tag nginx:latest 516583196897.dkr.ecr.ap-south-1.amazonaws.com/myimage:latest


docker push 516583196897.dkr.ecr.ap-south-1.amazonaws.com/myimage:latest

In my case I was creating the repo in us-east-2 and attempting to push to us-east-1, so docker couldn't find it.

Make sure the name of your registry is the same name as your images. image:latest 756839881602.dkr.ecr.us-east-1.amazonaws.com/image:latest in this case my registry name is image and my image name is image as well. This worked for me.

For those who tried the solution above, and it didn't work, make sure the image name your are pushing is the same as the repository name.

Make sure your assumed aws role has the ability to push images to AWS ECR. Easiest is to check the role via the command:

aws sts get-caller-identity --profile=saml

Ensure you are using the correct profile and that the repository exists

Command to login with profile: aws ecr get-login-password --region <region> --profile=<profile-name> | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.eu-west-1.amazonaws.com

Command to create repo if it does not exists: aws ecr describe-repositories --repository-names ${REPO_NAME} || aws ecr create-repository --repository-name ${REPO_NAME}(source)

Assuming you authenticated successfully to AWS and you have permissions to read, write to ECR, check if the repository does exist

aws ecr describe-repositories --repository-name reponame

If you catch an error RepositoryNotFoundException, then you will create to that repository with the following command

aws ecr create-repository --repository-name reponame

After that, try to push again, it will be fine!