Skip to content
Latchkey

Amazon ECR "no basic auth credentials" on push in CI

ECR uses short-lived tokens, not a static password. "no basic auth credentials" means docker never logged in to the ECR registry for this push. Run aws ecr get-login-password | docker login (the get-login-password output is the password) before pushing.

What this error means

docker push to an *.dkr.ecr.<region>.amazonaws.com repository fails with "no basic auth credentials" after the layers begin to upload.

docker
The push refers to repository [123456789012.dkr.ecr.us-east-1.amazonaws.com/app]
... no basic auth credentials

Common causes

docker login to ECR never ran

ECR requires a token from aws ecr get-login-password. Without that login, the registry has no credentials for the push.

Logged in to the wrong registry host or region

The login targeted a different account/region than the tag, so the push host has no matching auth.

How to fix it

Authenticate with get-login-password

  1. Configure AWS credentials (OIDC role is preferred).
  2. Pipe aws ecr get-login-password into docker login for the exact registry host.
  3. Push to the matching <account>.dkr.ecr.<region>.amazonaws.com/<repo>.
Terminal
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS --password-stdin \
    123456789012.dkr.ecr.us-east-1.amazonaws.com

Use the official login action

amazon-ecr-login handles the token exchange and docker login for you in GitHub Actions.

.github/workflows/ci.yml
- uses: aws-actions/amazon-ecr-login@v2

How to prevent it

  • Log in to the exact ECR host and region before each push.
  • Use OIDC to assume a role instead of static AWS keys.
  • Match the login host to the image tag account and region.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →