Docker API 1.39 Build image from ECR repository

Description

Docker API v1.37 “build” endpoint return an error no basic auth credentials

I have a few ECR repositories, i’m running an EC2 instance which has an attached instance profile role with full permissions to ECR.

I’m running the docker daemon on the remote EC2 instance, both instances have full permissions to ECR.

I’m trying to perform a build operation using the docker API, the Dockerfile includes a FROM statement which points to one of the images in one of my ECR repositories.

Here’s what i’m trying to do.

password=$(aws ecr get-login --no-include-email --output text --region us-east-2 | awk '{printf $6}')
registryAuth=$(echo -n '{"username": "AWS", password: "'$password'", "serveraddress": "https://my_aws_account.dkr.ecr.us-east-2.amazonaws.com/v2/"}'| base64 -w0)

I’ve tried using various options for the server

  1. https://my_aws_account.dkr.ecr.us-east-2.amazonaws.com/v1/
  2. https://my_aws_account.dkr.ecr.us-east-2.amazonaws.com/
  3. https://my_aws_account.dkr.ecr.us-east-2.amazonaws.com/v2/

curl -v -X POST --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -H "X-Registry-Auth: $registryAuth" -H "Content-Type:application/tar" --data-binary '@Dockerfile.tar.gz' http://localhost:2375/v1.37/build

I’m getting the same error

* upload completely sent off: 188 out of 188 bytes
< HTTP/1.1 200 OK
< Api-Version: 1.39
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/18.09.3 (linux)
< Date: Thu, 07 Mar 2019 16:02:27 GMT
< Transfer-Encoding: chunked
<
{"stream":"Step 1/1 : FROM my_aws_account.dkr.ecr.us-east-2.amazonaws.com/slicer_base:latest"}
{"stream":"n"}
{"errorDetail":{"message":"Get https://my_aws_account.dkr.ecr.us-east-2.amazonaws.com/v2/slicer_base/manifests/latest: no basic auth credentials"},"error":"Get https://my_aws_account.dkr.ecr.us-east-2.amazonaws.com/v2/slicer_base/manifests/latest: no basic auth credentials"}
* Connection #0 to host localhost left intact

Do i need to pass the aws ecr get-login or the aws ecr get-authorization-token to the password of the registryAuth , should it be base64 encoded?

I’ve tried both options aws ecr get-login and aws ecr get-authorization-token, neither of them worked for me.

Here’s my dockerd startup configuration:
/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

Output of docker version:

Client:
 Version:           18.09.3
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        774a1f4
 Built:             Thu Feb 28 06:40:58 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.3
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.8
  Git commit:       774a1f4
  Built:            Thu Feb 28 05:59:55 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 2
Server Version: 18.09.3
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: nvidia runc
Default Runtime: nvidia
Init Binary: docker-init
containerd version: e6b3f5632f50dbc4e9cb6288d911bf4f5e95b18e
runc version: 12f6a991201fdb8f82579582d5e00e28fba06d0a-dirty
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-1060-aws
Operating System: Ubuntu 16.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.795GiB
Name: ip-10-220-3-78
ID: YZ6T:HXM4:XJNW:GUDY:XA6J:U2KX:R7CJ:TQHE:TPXY:HCNA:R4VL:M3AZ
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: No swap limit support

This issue is related to another issue/question which has been opened here

Source: StackOverflow