Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

boto3 ecr get_authorization_token return incorrect token

See original GitHub issue

Hi, Today I have experienced this issue with boto3 ecr. I used a simple scripts to get token from boto3 to access login docker on 2 machines.

import boto3
from docker import Client
client = boto3.client('ecr', region_name="us-east-1")
response = client.get_authorization_token(
    registryIds=[
        'MY ACCOUNT ID',
    ]
)
print response
token = response["authorizationData"][0]["authorizationToken"]
endpoint = response["authorizationData"][0]["proxyEndpoint"]
cli = Client(base_url='unix://var/run/docker.sock')
cli.login(username="AWS", password=token, registry=endpoint)
print cli

I ran the script on 2 machines with the same full access to ecr role. 2 machines returned same token, however only one machine worked with this token, the other returned 403 Forbidden.

Since I have a cluster of machines using ECR, I need all of them to be able to connect with ECR

Issue Analytics

State:
Created 8 years ago
Comments:13 (3 by maintainers)

Top GitHub Comments

17reactions

stolaticommented, Mar 17, 2017

The solution : the token returned by boto (in fact aws api) is not the password. It’s a base64 encoded user:password. You should do user, password = base64.b64decode(token).split(':') Hope it will unblock someone.

2reactions

mrtjcommented, Sep 21, 2021

For completeness, here’s how to login to an ECR repo with docker-py:

import base64
import boto3
import docker
docker_client = docker.from_env()

def ecr_login(region):
    ecr = boto3.client('ecr', region_name=region)
    resp = ecr.get_authorization_token()
    auth_resp = resp['authorizationData'][0]
    token = auth_resp['authorizationToken']
    registry = auth_resp['proxyEndpoint']
    username, password = base64.b64decode(token).decode('utf-8').split(':')
    docker_client.login(username=username, password=password, registry=registry)

Top Results From Across the Web

ECR — Boto3 Docs 1.26.33 documentation - AWS

A low-level client representing Amazon EC2 Container Registry (ECR) ... Returns: True if the operation can be paginated, False otherwise. close ()¶.

Docker Python library cannot properly login into AWS ECR

Based on my findings, I can either use boto3 or run a sub-process ... get_authorization_token returns username and password but it is base ......

Resolve "The security token included in the request is expired ...

You must refresh the credentials before they expire. Another reason for expiration is using the incorrect time. A consistent and accurate time reference...

Python get authorization token - ProgramCreek.com

This page shows Python code examples for get authorization token. ... ConnectionError: return AuthenticationResponse(success=False, err_message="Unable to ...

How to connect to AWS ECR using python docker-py

import boto3 import base64 import docker sess = boto3.Session() resp = sess.client('ecr').get_authorization_token() token ...