Using Amazon ECR from CLI with AWS SSO

AWS CLI can be used to access ECR repositories, but it may be a bit confusing to get it to work the first time -- especially if you are using AWS SSO for authentication. Here's a step-by-step guide.

There is good documentation for Amazon ECR but if you are using AWS SSO then blindly following the documentation could trip you up the first time,

Pre-requisites / Assumptions

• You have an AWS Organizations setup to use AWS SSO for user logins
• You have created a private repo in Amazon ECR in one of the member accounts
• Docker is installed on your local development environment

AWS CLI Setup and Configure

• Install the latest version of AWS CLI (guide)

• Use the CLI command “aws configure sso” to setup a CLI profile

  1. You can follow the step-wise guide for configuring the CLI with SSO credentials, starting with the “SSO start URL” of your AWS Organization.
  2. The CLI will generate a one-time code and direct you to the default web-browser where you can login using your SSO Credentials and confirm that you want to grant access to the CLI.
  3. You can choose a “CLI profile name” (or accept the default by pressing )

• Note the AWS CLI profile name that you create in this step (#3 above). You will need to use this in every AWS CLI command with a --profile option as shown in the example at the end of the above screenshot.

Get Authentication Token

• AWS CLI command then use the AWS CLI command get-login-password to obtain the authentication token to authorize Docker client on your local machine to access the ECR repo. This is then directly piped into the Docker login command so you can do both steps together – getting a token from ECR and then having Docker CLI login using that token.

• AWS provides an easy way get these commands formatted correctly with the correct IDs etc. in the Amazon ECR Console: Open the specific ECR repo in console and click on “View Push Commands” button.

  

• The pop-up that opens has the exact commands that you will need to execute at the CLI in order to get the token, authorizing docker and the subsequent steps of building, tagging and pushing the docker images.

  

• However, please note (highlighted in the screenshot above) that these commands do not specify a --profile option in the AWS CLI command. This missing piece trips up a number of beginners – or even experts who may be copy-pasting commands in a hurry.

• Here is an example of this command in action – which includes the AWC CLI profile option and name:

  

• As you can see in the screenshot if you did everything right you should see a “Login Succeeded” message. Everything else from here should be cakewalk.

Build and Tag Docker Images Locally, Push to ECR

• You can continue to use the detailed commands supplied by the AWS Console to work through the remaining steps. Since these are docker CLI commands and not AWS CLI commands – you will no longer require to add the --profile option for these steps.

  

• If you did everything right you should see a successful push and the the latest tagged image should appear in your ECR repo (after you refresh the console).