docker build can't pull base image with this ecr-login helper?

[gengmao]

Hello,

I rolled out this ecr-login helper a few days ago, and I found docker build failed with unauthorized: authentication required if the Dockerfile is FROM an image in ECR.

This ecr-login helper works fine with docker pull. The error can be worked around by pulling the image before docker build, but if the docker build has an --pull option, the build would failed with same unauthorized: authentication required error.

I don't know the details of how docker build pulls an private image when needed - is this an simple implementation issue, or just any https://github.com/docker/docker-credential-helpers can't work with docker build?

[samuelkarp]

@gengmao Thanks for reporting this. I did a little investigation and it looks like the Docker CLI uses the auths section in ~/docker/config.json to find which registries it needs credentials for instead of parsing the FROM line in the Dockerfile. I was able to get docker build to work by changing my ~/docker/config.json file to this:

{
    "credsStore":"ecr-login",
    "auths": {
        "123456789012.dkr.ecr.us-west-2.amazonaws.com": {
        }
    }
}

As a workaround, you can adjust your ~/.docker/config.json file to include empty sections for each ECR endpoint (account + region) you intend to use. For a better fix, I think it would be a good idea for docker build to parse the FROM line and only send the set of credentials necessary to build that Dockerfile to the Docker daemon.

[gengmao]

Adding "auths" solved my problem. Thanks @samuelkarp!
I am closing this issue. Just probably worth to mention the docker build behavior in readme.md, for people like me who do not recall it.

[burdandrei]

I know this is closed, but adding the auth section stopped to help after the upgrade from 1.12 up.
We received new trusty images in travis-ci, and all our builds failed.
It works now only if we're running docker pull before build.

[samuelkarp]

@burdandrei In more-recent versions of Docker, the auths section is no longer use for determining which credentials to send to the daemon. The long-term solution here is going to be a smarter Docker CLI that parses the FROM line and explicitly requests the appropriate credentials from the credential helper (work has started in moby/moby#32967, but it doesn't look like there's current movement). In the short-term, you can either do a docker pull like you're doing or let the credential helper pre-cache credentials like this echo $registry | docker-credential-ecr-login get.

[miked0004]

This is not limited to docker compose and the solution of piping to the credential plugin seems less useful than the basic aws ecr get-login --no-include-email.
Is there any solution in the works here?

[joshenders]

Encountered this issue today. Ended up using the echo $registry | docker-credential-ecr-login get approach which resolved the issue for me. I echo the sentiments of others, wishing the docker cli would parse the FROM directive in my Dockerfile.

[samuelkarp]

I echo the sentiments of others, wishing the docker cli would parse the FROM directive in my Dockerfile.

Me too! Unfortunately, this change needs to be made in the Docker CLI itself rather than in this project. moby/moby#32967 looks stalled, but that's where the work would need to happen.

[rdpa]

For anyone still experiencing this issue, using the docker daemon with buildkit solves the problem.