113

I am trying to set up docker image of amazon ECR on ubuntu18.04 machine of AWS,using commands provided by view push commands of Amazon Container Services view push commands of amazon container services

,please note i have already set up docker on my ubuntu18.04 and also output of docker -v is as below

ubuntu@ip-172-31-0-143:~$ docker -v
Docker version 19.03.7, build 7141c199a2

When i execute the command provided by amazon container services on aws cli on ubuntu18.04 i get error as Error: Cannot perform an interactive login from a non TTY device

The command which i am using is 

aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 8233251134332.dkr.ecr.us-east-2.amazonaws.com/gatling-lots

please note i have successfully configured awscli and i can see the detailed from aws s3 ls

Here is detailed error log

ubuntu@ip-172-31-0-143:~$ aws ecr get-login-password --region us-   
east-2 | docker login --username AWS --password-stdin 
823443336.dkr.ecr.us-west-2.amazonaws.com/gatling-lots
usage: aws [options] <command> <subcommand> [<subcommand> ...]      
[parameters]
 To see help text, you can run:

aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument operation: Invalid choice, valid choices are:

 batch-check-layer-availability           | batch-delete-image                      
 batch-get-image                          | complete-layer-upload                   
create-repository                        | delete-lifecycle-policy                 
delete-repository                        | delete-repository-policy                
 describe-images                          | describe-repositories                   
 get-authorization-token                  | get-download-url-for-layer              
 get-lifecycle-policy                     | get-lifecycle-policy-preview            
 get-repository-policy                    | initiate-layer-upload                   
 list-images                              | put-image                               
 put-lifecycle-policy                     | set-repository-policy                   
 start-lifecycle-policy-preview           | upload-layer-part                       
 get-login                                | help                                    
 Error: Cannot perform an interactive login from a non TTY device

output of

ubuntu@ip-172-31-0-143:~$ (aws ecr get-login --no-include-email  --region us-east-2)

docker login -u AWS -p 

MzQxL2c0Yks4RjVxeDg9IiwidmVyc2lvbiI6IjIiLCJ0eXBlIjoiREFUQV9LRVkiLCJleHBpcmF0aW9uIjoxNTgzNjgzNDY5fQ== https://825251119036.dkr.ecr.us- east-2.amazonaws.com
valdeci
  • 13,962
  • 6
  • 55
  • 80
Carolyn Cordeiro
  • 1,525
  • 3
  • 11
  • 26
  • 5
    seems like you are using `awscliv1`, while the above command is for `awscliv2`, check your awscli version, or you can try `$(aws ecr get-login --no-include-email --region us-east-2)` – Adiii Mar 08 '20 at 02:06
  • @Adiii i have added the content of your question in the question above,it says access denied,what can be the casue i can see the output of aws s3 ls – Carolyn Cordeiro Mar 08 '20 at 02:14
  • you have only access to s3, you need to request to your AWS account admin to allow to get `GetAuthorizationToken` you need ` "ecr:GetAuthorizationToken",` this permission. for detail https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html – Adiii Mar 08 '20 at 02:24
  • @Adiii now i am getting output for ```$(aws ecr get-login --no-include-email --region us-east-2)``` ,as i have update din teh question above but still my problem. not solved i.e. i am getting ```Error: Cannot perform an interactive login from a non TTY device``` for aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin 8233251134332.dkr.ecr.us-east-2.amazonaws.com/gatling-lots – Carolyn Cordeiro Mar 08 '20 at 04:14
  • you need to add `$` or you can run the ouput command and then you will get login. seems like you miss `$` sign. try with `$(aws ecr get-login --no-include-email --region us-east-2)` – Adiii Mar 08 '20 at 05:53

22 Answers22

175

The problem is not aws but docker. The solution is on docker to use the -p parameter, and wrap the aws login call to the -p parameter as such:

docker login -u AWS -p $(aws ecr get-login-password --region the-region-you-are-in) xxxxxxxxx.dkr.ecr.the-region-you-are-in.amazonaws.com

And this requires AWS CLI version 2.

Devin Dixon
  • 11,553
  • 24
  • 86
  • 167
  • 3
    this may not be the safest method as mentioned here https://github.com/aws/aws-cli/issues/4962#issuecomment-591266185 – Kapoor Apr 18 '21 at 14:38
  • 2
    This should not be used if there's another alternative. See https://stackoverflow.com/a/51518255/5640649 – lealceldeiro Nov 01 '21 at 13:48
  • this didn't work for me on Ubuntu 22.10, but this did: `sudo chmod 666 /var/run/docker.sock` – jspinella Nov 18 '22 at 01:34
60

docker login prints this error message when you use --password-stdin, but don't actually send a password to the command's stdin.

For example:

$ echo "" | docker login --password-stdin --username jorendorff
Error: Cannot perform an interactive login from a non TTY device

Therefore, almost any kind of problem with the command before the | pipe symbol will result in this unhelpful error message.

Jason Orendorff
  • 42,793
  • 6
  • 62
  • 96
30

it took me forever to figure out that the issue was that I forgot to run aws configure and enter the right details. That solved my issue.

Joseph
  • 432
  • 4
  • 8
11

You need to install AWS CLI version 2. Follow the instructions in this Installing or updating the latest version of the AWS CLI

Abdullah Khawer
  • 4,461
  • 4
  • 29
  • 66
Achira Shamal
  • 527
  • 1
  • 5
  • 18
8

This command does the trick in bash and linux at 2020/10/06:

linux@host:~$ $(aws ecr get-login --no-include-email)

That's because

$ aws ecr get-login --no-include-email

Gives the following output:

docker login -u AWS -p xxxxxxxxxxxxx== https://xxx.dkr.ecr.eu-west-1.amazonaws.com

Fernando Pérez Casas
  • 81
  • 1
  • 1
  • This solution works with AWS CLI Version 1.X. See https://docs.aws.amazon.com/cli/latest/userguide/welcome-versions.html for more details on the differences and how to update to AWS CLI Version 2.X. – Pat Mar 12 '21 at 17:37
  • This is the only answer that I could get to work on a Raspberry Pi Zero with AWS CLI 1.x. – Ghost May 16 '23 at 13:35
7

Devin's answer is correct.

But there is one more way. The updated version of docker requires this parameter --password-stdin.

aws ecr get-login-password --region <YOUR_REGION> | docker login --username AWS --password-stdin  <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com
Jigar
  • 3,256
  • 1
  • 30
  • 51
  • 3
    You mean the way that the question is about not working? Because the fact that this complains about "non TTY device" is precisely the issue. – theherk May 27 '21 at 14:42
5

Below steps are resolve that issue.

$curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

$aws --version

aws-cli/2.0.30 Python/3.7.3 Linux/4.14.181-142.260.amzn2.x86_64 botocore/2.0.0dev34

$aws ecr get-login-password --region your_region | docker login --username AWS --password-stdin Account_ID.dkr.ecr.your_region.amazonaws.com

Replace your Account ID and Region.

Lukasz Szczygielek
  • 2,768
  • 2
  • 20
  • 34
Thadikaran K
  • 127
  • 3
  • 8
4

I know this question is answered already, but, this was my experience.

This didn't work for me initially.

aws ecr get-login-password --region <your-region>| docker login --username AWS --password-stdin <your-container>

I had the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY saved under variables in GitLab.

But the solution was to uncheck the Protected flag from the variables saved on GitLab. I don't know how secure this approach is, but, it did work for me.

I hope this would help someone one day.

Dynamdilshan
  • 61
  • 5
1

Also remember you cannot log into partitioned regions (cn-* or gov) while using a non-partitioned AWS profile. Add --profile foo to specify a profile with your designated region.

dz902
  • 4,782
  • 38
  • 41
1

You need to authorize your EC2 machine to access AWS services either by

  • running aws configure and providing the right details OR
  • Give your EC2 machine a role to enable it access ECR

Also if you run your docker commands with sudo, then add sudo before the docker command as shown below

aws ecr get-login-password --region us-west-2 | sudo docker login --username AWS --password-stdin 8233251134332.dkr.ecr.us-east-2.amazonaws.com/gatling-lots

Cheers.

Sanim16
  • 151
  • 3
  • 6
1

I had the same problem with Atlassian Bamboo, and logging into AWS ECR from an SSH task in a build plan.

I could not run aws configure because of insufficient permissions.

So I solved this by setting the AWS credential variables and then the docker login as proposed by one of the other answers:

export AWS_ACCESS_KEY_ID=<value>
export AWS_SECRET_ACCESS_KEY=<value>
docker login -u AWS -p $(aws ecr get-login-password --region <region>) <accountid>.dkr.ecr.<region>.amazonaws.com

The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY can be created in your AWS profile, Security Credentials section.

Hope this helps someone, and a future me when I forget and come back to find help.

James K
  • 909
  • 10
  • 26
1

Hope this helps someone.

I tried everything until I removed hyphens from my aws account id. If your right click on your username, aws shows your account id like this:

6897-6070-0765

If you put that into the command, it won't work. It works without the dashes:

sudo aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin 689760700765.dkr.ecr.us-east-1.amazonaws.com
Alejandro Veintimilla
  • 10,743
  • 23
  • 91
  • 180
0

In my case, I forgot to add ECR related policy in my AWS IAM. To add a policy follow these steps.

bad_coder
  • 11,289
  • 20
  • 44
  • 72
hemant yadav
  • 1
0

The issue I found is AWS CLI v1 vs AWS CLI v2. I resolved this by uninstalling v1 and installing AWS CLI v2.

Sean Faria
  • 1
0

No worries in this case. Just type 'aws configure' in your terminal and paste the security credentials such as 'aws_access_key_id' and 'aws_secret_access_key'and then type the region of the repository and the output format as 'json'.

It worked for me.

Tirumaleshn
  • 11
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 20 '22 at 00:16
0

All of the above did not work for me on a windows OS. However, windows (10) was suggesting updates. I applied the Update & Restart and when I executed the login command

aws ecr get-login-password --region **your_region_code** | sudo docker login --username AWS --password-stdin **numeric-account-id**.dkr.ecr.**your-region-code**.amazonaws.com*

Everything worked again normally.

Preet Sangha
  • 64,563
  • 18
  • 145
  • 216
Umar Kayondo
  • 405
  • 4
  • 9
0

I got this error on Ubuntu 18.04 after my AWS CLI was automatically updated.

I solved it by reverting it back to the previous version using this command:

sudo apt-get install awscli=1.14.44-1ubuntu1 -V
jgosar
  • 2,469
  • 1
  • 16
  • 14
  • I am having same issue aws-cli/1.18.69 Python/3.6.9 Linux/5.4.0-1089-azure botocore/1.16.19 Docker version 20.10.14, build a224086 aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid. Error: Cannot perform an interactive login from a non TTY device I am using Jenkins Pipeline. Any Idea how it can be resolved? – Ishika Jain Sep 06 '22 at 06:28
0

I faced this error after re-starting Docker.

It was solved when I did docker login initially.

Then aws ecr get-login-password --region <your_region> | docker login --username AWS --password-stdin <your_uri>/<your_image> command worked again.

damdafayton
  • 1,600
  • 2
  • 10
  • 19
0

This issue is common having used aws configure to input you temporary aws credentials and having used either aws configure set aws_session_token <session_token> or directly pasting the token in the ~/.aws/credentials file.

It may initially arise after a docker image build and docker fails to push the image with a Error saving credentials: error storing credentials - err: error.

On trying to update the docker credentials which are typically stored in ~/.docker/config.json, using aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <accountID>.dkr.ecr.eu-west-1.amazonaws.com you will be faced with a An error occurred (ExpiredTokenException) when calling the GetAuthorizationToken operation: The security token included in the request is expired Error: Cannot perform an interactive login from a non TTY device error.

Having uderstood the base scenario, here are the step I recommend to solve it:

  1. In the amazon web portal, on the page with Management cosole | Command line or programmatic access, refresh the page and click on Command line or programmatic access.
  2. In your CLI:

  • rm -rf ~/.aws

  • rm -rf ~/.docker/config.json

  • aws configure - at this point, paste in the Access Key ID, Secret Access Key, your region and output as json(These details should be acquired from the refreshed console access credentials page).

  • aws configure set aws_session_token "<token-goes-here>" - IMPORTANT: The new session token must be pasted here.

  1. You can go on to now run: aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com

And you're done, all should be good now.

Steve Austin
  • 21
  • 4
0

for me, it was related to log in again with saml2aws

saml2aws login --force

aws --profile YOUR_AWS_PROFILE sts get-caller-identity

then try to login again AWS with Docker

aws --profile YOUR_AWS_PROFILE ecr get-login-password | docker login --username AWS --password-stdin xxxxxxxxxx.dkr.ecr.eu-west-1.amazonaws.com
Touseef Murtaza
  • 1,548
  • 14
  • 20
0

Update, 2023-07-18

Platform: Arch Linux amd64 (6.4.3-arch1-2)

I had to downgrade from 2.13.1 to 2.12.1 to get rid of this error (same as OP).

Robbie Capps
  • 417
  • 1
  • 5
  • 16
-1

This answer is for similar error getting for github actions. Please try this and let me know if this works

- name: Docker login
      uses: docker/login-action@v2
      with:
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}```
Hemil Turakhia
  • 1
  • 1