Amazon ECR "no basic auth credentials" on push in CI
ECR uses short-lived tokens, not a static password. "no basic auth credentials" means docker never logged in to the ECR registry for this push. Run aws ecr get-login-password | docker login (the get-login-password output is the password) before pushing.
What this error means
docker push to an *.dkr.ecr.<region>.amazonaws.com repository fails with "no basic auth credentials" after the layers begin to upload.
The push refers to repository [123456789012.dkr.ecr.us-east-1.amazonaws.com/app]
... no basic auth credentialsCommon causes
docker login to ECR never ran
ECR requires a token from aws ecr get-login-password. Without that login, the registry has no credentials for the push.
Logged in to the wrong registry host or region
The login targeted a different account/region than the tag, so the push host has no matching auth.
How to fix it
Authenticate with get-login-password
- Configure AWS credentials (OIDC role is preferred).
- Pipe
aws ecr get-login-passwordintodocker loginfor the exact registry host. - Push to the matching
<account>.dkr.ecr.<region>.amazonaws.com/<repo>.
aws ecr get-login-password --region us-east-1 \
| docker login --username AWS --password-stdin \
123456789012.dkr.ecr.us-east-1.amazonaws.comUse the official login action
amazon-ecr-login handles the token exchange and docker login for you in GitHub Actions.
- uses: aws-actions/amazon-ecr-login@v2How to prevent it
- Log in to the exact ECR host and region before each push.
- Use OIDC to assume a role instead of static AWS keys.
- Match the login host to the image tag account and region.