Can't push Dockerimages to ECR

Question

I get an error on push my local Dockerimage to my private ECR: My IAM-User has AmazonEC2ContainerRegistryFullAccess rights and my EC2 too.

$ aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin xx.dkr.ecr.eu-central-1.amazonaws.com
...    
Login Succeeded


$ aws ecr describe-repositories
{
    "repositories": [
        {
            "repositoryUri": "xx.dkr.ecr.eu-central-1.amazonaws.com/my_repo",
            "imageScanningConfiguration": {
                "scanOnPush": false
            },
            "encryptionConfiguration": {
                "encryptionType": "AES256"
            },
            "registryId": "xx",
            "imageTagMutability": "MUTABLE",
            "repositoryArn": "arn:aws:ecr:eu-central-1:xx:repository/my_repo",
            "repositoryName": "my_repo",
            "createdAt": 1650817284.0
        }
    ]
}

$ docker pull hello-world
$ docker tag hello-world:latest xx.dkr.ecr.eu-central-1.amazonaws.com/hello-world:latest
$ docker images
REPOSITORY                                                    TAG       IMAGE ID       CREATED        SIZE
xx.dkr.ecr.eu-central-1.amazonaws.com/hello-world   latest    feb5d9fea6a5   7 months ago   13.3kB
hello-world                                                   latest    feb5d9fea6a5   7 months ago   13.3kB

and now i get the error on push my image:

$ docker push xx.dkr.ecr.eu-central-1.amazonaws.com/hello-world:latest
The push refers to repository [xx.dkr.ecr.eu-central-1.amazonaws.com/hello-world]
e07ee1baac5f: Retrying in 1 second
EOF

Any suggestions? The profile-trick from https://stackoverflow.com/a/70453287/10243980 works NOT.

Many thanks

Answer 1

One of my working example is the following

aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.eu-central-1.amazonaws.com
docker build -t dolibarr .
docker tag dolibarr:latest 123456789012.dkr.ecr.eu-central-1.amazonaws.com/dolibarr:latest
docker push 123456789012.dkr.ecr.eu-central-1.amazonaws.com/dolibarr:latest

Compared to your commands, it looks very similar. So now, please check, if your user is able to push to the repository itself (ecr:PutImage). Probably this is the main issue.

A good solution to find more help is the following Pushing an image to ECR, getting "Retrying in ... seconds"

My policy for my Docker image role, I am using, is the following (terraform style):

{
  Action = [
    "ecr:BatchCheckLayerAvailability",
    "ecr:CompleteLayerUpload",
    "ecr:GetAuthorizationToken",
    "ecr:InitiateLayerUpload",
    "ecr:PutImage",
    "ecr:UploadLayerPart",
  ]
  Effect   = "Allow"
  Resource = "*"
}

Try to adjust your policy and remove the "Principal" entry. This is not necessary.

Another possible reason could has nothing to do with the policy: Do you use some local proxy? I experienced some issues with using Proxy Servers for all public endpoints, like ECR, S3, etc. I disabled to use for those domains and it worked (depends on using VPN, or something similar).