3

Currently, I have this command in my bash script for building & pushing an image to Amazon ECR

docker login -u AWS -p "$(aws ecr get-login-password)" "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com"

Which gives the warning "WARNING! Using --password via the CLI is insecure. Use --password-stdin."

How can I change this command to not give the warning? Is this really insecure?

Moak
  • 604
  • 2
  • 10
  • 29
  • Yes, because the password is briefly visible in the process lists for any process to read. – Epeli May 14 '20 at 06:07

4 Answers4

6

Tinkering around this seems to work well:

aws ecr get-login-password | docker login -u AWS --password-stdin "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com"
Moak
  • 604
  • 2
  • 10
  • 29
2
$(aws ecr get-login --no-include-email --region cn-northwest-1)

replace cn-northwest-1 as your region.

ola
  • 21
  • 1
1

The recommended way to log in to ECR is to use the command produced by aws ecr get-login.

User9123
  • 111
  • 4
0

Assuming the AWS CLI is already configured correctly, for example with:

aws configure

Then just call the following:

aws ecr get-login-password | docker login -u AWS --password-stdin "https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$(aws configure get region).amazonaws.com"

The previous command aws ecr get-login automatically resolved the Account ID and region. The above command does that explicitly:

$(aws sts get-caller-identity --query 'Account' --output text)

(as per @Moak's answer, thank you)

and:

$(aws configure get region)

to get the region.

Druckles
  • 103
  • 4