1

I am trying to use our ECR to launch instances on Azure DC/OS Container service. I used ssh to login to master on Azure and install awscli there I can execute aws ecr get-login --no-include-email on master and get the docker login ... command that I am supposed to execute. When I do it, nothing happens. I did echo $? afterwards and I get status code 1. That means something went wrong. AWS user access key and secret access key that I am using, have policy permissions ecr:GetAuthorizationToken assigned to it.

Anyone have experience with this or can point me in the right direction? Last resort is to replicate AWS ECR to Azure ACR.

halfer
  • 19,824
  • 17
  • 99
  • 186
daniyel
  • 652
  • 10
  • 28
  • Could you log in the ECR with your AuthorizationToken? – Charles Xu Aug 01 '18 at 09:56
  • @charles-xu-msft What do you mean exactly? With docker login or...? – daniyel Aug 01 '18 at 09:58
  • Yes, I mean docker login. – Charles Xu Aug 01 '18 at 09:59
  • @charles-xu-msft I can execute docker login with sudo, everything seems fine but when i try sudo docker pull I am getting unauthorised error. And when I do docker login command I do not get any errors, but when I do echo $? i am getting exit code 1, which means something went wrong. – daniyel Aug 01 '18 at 10:02
  • As I know, there are two possible reasons, one is you do not log in ECR successfully, and the other is you do not have the permission to pull the images in the ECR. You can check that. – Charles Xu Aug 01 '18 at 10:06
  • @charles-xu-msft if i execute `aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | cut -d: -f2` I get token back. That means my user has permission to get the token. – daniyel Aug 01 '18 at 10:11
  • @charles-xu-msft And my user has `ecr:GetAuthorizationToken` in Policy and on AWS page they write `Amazon ECR users require permissions to call ecr:GetAuthorizationToken before they can authenticate to a registry and push or pull any images from any Amazon ECR repository`. – daniyel Aug 01 '18 at 10:13
  • @daniyel But does you user has permissions to actually *pull* the images, not just obtain auth token? – Sergey Kovalev Aug 01 '18 at 14:58
  • @sergey-kovalev I figured out I need `ecr:GetDownloadUrlForLayer` and `ecr:BatchGetImage`, but I needed to uninstall `docker-engine` and install `docker-ce` and setup `docker-credential-ecr-login`. I can `docker pull` images now, if I ssh with `azureuser` onto master or agent nodes, but the marathon daemon is still throwing `no basic auth credentials` error when I try to start application over marathon. – daniyel Aug 02 '18 at 12:01

0 Answers0