How to fix - AWS ECR docker login error storing credentials - err exit status 1?
This is a short troubleshooting blog post on how to fix the following error when performing the aws ecr get-login-password --region <region-name> | docker login -
Here is a little brief about the error -
Error saving credentials: error storing credentials - err: exit status 1, out: Post http://ipc/registry/credstore-updated: dial unix backend.sock:connection: connection refused
Here is the screenshot of the error -
Table of Content
- Root Cause- What are the possible root causes based on the operating system you are using?
- Remove the .docker/config.json file- Easy fix by removing the .docker/config.json file
- Allow docker-credential-osxkeychain.bin in macOS- Allow docker-credential-osxkeychain.bin from Key Access Application in macOS
- Install Amazon ECR Docker Credential Helper- Use Amazon ECR Docker Credential Helper from Amazon Labs
- Conclusion
(NOTE- Here is detailed on guide on How to push docker image to AWS ECR)
Root Cause
There could be multiple reasons behind this error but here are the possible reasons -
1. .docker/config.json- Whenever we try to push or pull the docker image, docker internally tries to update the .docker/config.json file. It is very much possible that you previously worked with docker and your .docker/config.json file still not updated with the latest AWS ECR Credentials
In such a scenario, you need to remove the .docker/config.json file and re-run the aws ecr get-login command. The completed detailed steps have been posted down in the blog post for removing the .docker/config.json file.
2. docker-credential-osxkeychain.bin- The second root cause belongs to the macOS user. Whenever you are running the aws ecr get-login command on macOS, it internally tries to access the Keychain. In most cases, a POP UP is thrown to the user for asking permission to access the Keychain.
But in the case of the above error, it might be possible that after running the aws ecr get-login command the POP UP is not generated and you eventually end up with the error. Here are the detailed steps on how to handle this error on macOS
1. Remove the .docker/config.json file
The easiest way to fix the error is by removing the .docker/config.json file. Here are the steps on how to locate the file -
1. Locate file - The .docker/config.json file is generally present under the home directory. You can use either of the following commands to locate the file -
1#This list command you can run from any location
2# If this command does not work then use the next find command in
3
4ls ~/.docker/config.json
Here is the find command to locate the .docker/config.json -
1#The following find command would search the entire disk to locate .docker/config.json
2
3find / -name `config.json` 2>/dev/null
2. Remove .docker/config.json- After you find the file, you can run the following to remove the config.json file.
But make sure to put the correct location of the config.json so that rm command can be successful.
1#This remove command assumes that the file is located under the home directory - ~/..docker/config.json
2rm ~/..docker/config.json
3. Re-run aws ecr get-login-password- After successfully removing the .docker/config.json file you re-run the aws ecr get-login-password command.
Here is my command which was executed successfully -
1# AWS ECR get login password command after removing the .docker/config.json file
2
3aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin 242396018804.dkr.ecr.eu-central-1.amazonaws.com
Here is the screenshot of the successful login-
2. Allow docker-credential-osxkeychain.bin from Keychain Access Application
This error is very common on macOS and to fix the error you have to allow docker-credential-osxkeychain.bin inside Keychain Access application of your macOS.
It happens because when you run aws ecr get-login-password command, it is trying to access the Keychain Item and because of macOS security you need to explicitly allow the docker-credential-osxkeychain.bin.
Follow the below steps -
1.Open Keychain Access Application- Open Spotlight Search in macOS by pressing (command+spacebar) and type in Keychain Access.
2. Allow docker-credential-osxkeychain.bin- After opening the keychain Access application, you can allow the docker-credential-osxkeychain.bin.
Please refer to the following screenshot -
It should fix your issue on macOS.
3. Install Amazon ECR Docker Credential Helper
If any of the above solutions do not work then you could use the utility from AWS Labs.
The only pre-requisites for this tool is you need to have at least Docker 1.11 docker installed onto your machine.
3.1 Installation
How to install?
Based on your operating system use the following instructions for installing the Amazon ECR Docker Credential Helper -
Amazon Linux 2-
1# For Amazon linux 2
2
3$ sudo amazon-linux-extras enable docker
4$ sudo yum install amazon-ecr-credential-helper
Mac OS
For macOS, you can use the Homebrew -
1# For macOS
2
3brew install docker-credential-helper-ecr
There is also the possibility to use MacPorts -
1# For macOS
2
3sudo port install docker-credential-helper-ecr
Debian/Ubuntu
1# For Debian based Linux .i.e. Ubuntu
2
3sudo apt update
4sudo apt install amazon-ecr-credential-helper
Arch Linux
1# For Arch linux -
2
3git clone https://aur.archlinux.org/amazon-ecr-credential-helper.git
4cd amazon-ecr-credential-helper
5makepkg -si
3.2 Set docker-credential-ecr-login in PATH
You can do either of the following for setting docker-credential-ecr-login in PATH -
1. Move binary(docker-credential-ecr-login) to /usr/local/bin or /usr/bin/lib - After the installation you will have either of two binaries based on the operating system you are using.
- docker-credential-ecr-login
- amazon-ecr-credential-helper
Use the following copy commands to move the binary to /usr/local/bin or /usr/bin
1# move docker-credential-ecr-login to /usr/local/bin
2
3sudo cp ./bin/local/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
1# move docker-credential-ecr-login to /usr/bin/lib
2
3sudo cp ./bin/local/docker-credential-ecr-login /usr/bin/lib/docker-credential-ecr-login
1# move amazon-ecr-credential-helper to /usr/local/bin
2
3sudo cp ./bin/local/amazon-ecr-credential-helper /usr/local/bin/amazon-ecr-credential-helper
1# move amazon-ecr-credential-helper to /usr/bin/lib
2
3sudo cp ./bin/local/amazon-ecr-credential-helper /usr/bin/lib/amazon-ecr-credential-helper
2. Add to binary(docker-credential-ecr-login) path to $PATH variable- Goto your .bash_profile and update the $PATH variable -
1#Open .bash_profile
2
3vi ~/.bash_profile
Append the following line to $PATH variable -
1# The following line might differ in your system.
2
3export PATH=$HOME/projects/amazon-ecr-credential-helper/bin:$PATH"
3.3 Update ~/.docker/config.json
Now after setting the path you need to update the ~/.docker/config.json file.
Open the file using $ vi command and set the following content into it -
1{
2 "credsStore": "ecr-login"
3}
Use credHelpers for specific ecr registry based on the AWS Account ID and Region. If needed then the following content can be appended to the ~/.docker/config.json -
1{
2 "credHelpers": {
3 "public.ecr.aws": "ecr-login",
4 "<aws_account_id>.dkr.ecr.<region>.amazonaws.com": "ecr-login"
5 }
6}
3.4 Set correct AWS Credentials
At last, make sure you are using correct AWS Credentials. Run the following $ aws configure command and set correct ACCESS KEY and SECRET KEY
1aws configure
After setting up the amazon-ecr-credential-helper you can perform the docker pull and docker push commands.
4. Conclusion
I hope this guide will help you to troubleshoot your error while performing docker push and docker pull operation onto AWS Elastic Container Registry(ECR).
This guide has been prepared based on the issue which I have encountered while working with AWS_ECR. You might have to tweak the commands mentioned in this guide based on the choice of your operating system and environment variables.