I have a private repository on DockerHub which I am trying to deploy with ECS. I always get the following error:
Unable to decode provided docker credentials module="ecs credentials" type="dockercfg"
or if I try with type docker:
Unable to decode provided docker credentials module="ecs credentials" type="docker"
I have tried all possibilities mentioned on the ECS developer forums.
I tried:
ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGINE_AUTH_DATA='{"https://index.docker.io/v1/":{"auth":"<token>","email":"<email>"}}'
I also tried:
ECS_ENGINE_AUTH_TYPE=docker
ECS_ENGINE_AUTH_DATA='{"https://index.docker.io/v1/":{"username":"<username>","password":"<password>","email":"<email>"}}'
And also (because of the docs at https://godoc.org/github.com/aws/amazon-ecs-agent/agent/engine/dockerauth):
ECS_ENGINE_AUTH_TYPE=docker
ECS_ENGINE_AUTH_DATA='{"https://index.docker.io/v1/<username>":{"username":"<username>","password":"<password>","email":"<email>"}}'
I also tried without the '' and with "" around the JSON.. same effect. I always get the same error.
I should add I am getting ecs.config from an S3 container which works fine. I have also retyped the file manually in case there is some dubious formatting when the file is downloaded (though I don't see how this can be the case as the S3 file comes as a byte stream).
If I SSH into the instance and do the following:
docker login --username=<username> --password=<password> --email=<email>
I can then pull the image succesfully: docker pull A/B:latest
However, even after I log in (and therefore docker generates the ~/.docker/config.json file), I still get the same error from ECS.
I should mention all operations in changing the ecs.config file were done as follow:
sudo stop ecs sudo start ecs Repeat...
It is getting very frustrating.. How should this work or how has it changes since the documentation was written?
Any help would be appreciated.
EDIT
I also tried setting the docker auth in the JSON config file in /etc/ecs/ecs.config.json:
{
"EngineAuthType": "docker",
"EngineAuthData": {
"https://index.docker.io/v1/": {
"username": "<me>",
"password": "<password>",
"email": "<email>"
}
}
}
The JSON configuration for this is described here: https://godoc.org/github.com/aws/amazon-ecs-agent/agent/config. It is also mentioned in the code comments here: https://github.com/aws/amazon-ecs-agent/blob/b197eddd9d5272eeac7dddaa2a84cc4c85522354/agent/engine/dockerauth/doc.go
More specifically:
These keys may be set by either setting the environment variables "ECS_ENGINE_AUTH_TYPE" and "ECS_ENGINE_AUTH_DATA" or by setting the keys "EngineAuthData" and "EngineAuthType" in the JSON configuration file located at the configured "ECS_AGENT_CONFIG_FILE_PATH" (see http://godoc.org/github.com/aws/amazon-ecs-agent/agent/config)
This is again, giving the same error ...
After spending some time looking through the code of the ECS agent (https://github.com/aws/amazon-ecs-agent) I realised where the problem is. The problem is in the email field which should be removed!
So, just to recap how to do this:
You need to follow the instructions here: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html.
However, all the examples there include the email field.
The ecs.config should look like this:
ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGINE_AUTH_DATA={"https://index.docker.io/v1/":{"auth":"<your auth token>"}}
To load the ecs.config from an S3 container when your instances are created follow this: http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html, particularly the "To store an ecs.config file in Amazon S3" and "To load an ecs.config file from Amazon S3 at launch" headings.