ECR docker login does not work anymore with docker image amazon/aws-cli:2.32.2

[b3n3d1k7]

Describe the bug

We have been using the amazon/aws latest image in our pipelines to push docker images to private ECR repositories using authorization token retrieved by aws ecr get-login-password.

With amazon/aws-cli:2.32.2 the docker login call fails with the error message: "400 Bad Request"
Reverting to amazon/aws-cli:2.32.1 fixes the issue.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Docker authentication using the AWS CLI docker image amazon/aws-cli:2.32.2 works as described here: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html#registry-auth-token

Current Behavior

With amazon/aws-cli:2.32.2 the docker login call fails with the error message: "400 Bad Request"

Reproduction Steps

Run the command
aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com
with the docker image amazon/aws-cli:2.32.2

I.e.

docker run -t --env AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION}" --env AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" --env AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" --env AWS_SESSION_TOKEN="${AWS_SESSION_TOKEN}" amazon/aws-cli:2.32.2 ecr get-login-password --region "${AWS_DEFAULT_REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com"

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.32.2

Environment details (OS name and version, etc.)

ubuntu 24.04

[wilsongee]

I am also seeing the same issue:

> make ecr_login
docker pull amazon/aws-cli:2.32.2
2.32.2: Pulling from amazon/aws-cli
Digest: sha256:1f78cc694527183e91e4a914bc4d426eeee16ae99eb718069c048a1f3af06612
Status: Image is up to date for amazon/aws-cli:2.32.2
docker.io/amazon/aws-cli:2.32.2
for ECR_AWS_ACCOUNT in MY_ACCOUNT_1 MY_ACCOUNT_2; do \
		docker run --rm -it -e AWS_PROFILE -v /Users/wilson/.aws:/root/.aws amazon/aws-cli:2.32.2 --region us-west-2 ecr get-login-password | \
			docker login --username AWS --password-stdin https://${ECR_AWS_ACCOUNT}.dkr.ecr.us-west-2.amazonaws.com; \
	done
Error response from daemon: login attempt to https://MY_ACCOUNT_1.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 400 Bad Request
Error response from daemon: login attempt to https://MY_ACCOUNT_2.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 400 Bad Request
make: *** [ecr_login] Error 1

> make ecr_login
docker pull amazon/aws-cli:2.32.1
2.32.1: Pulling from amazon/aws-cli
Digest: sha256:51f81db299a7b812e9ec9cfa7a9252ce04e9e8a3a593a2d74358da13e3121608
Status: Downloaded newer image for amazon/aws-cli:2.32.1
docker.io/amazon/aws-cli:2.32.1
for ECR_AWS_ACCOUNT in MY_ACCOUNT_1 MY_ACCOUNT_2; do \
		docker run --rm -it -e AWS_PROFILE -v /Users/wilson/.aws:/root/.aws amazon/aws-cli:2.32.1 --region us-west-2 ecr get-login-password | \
			docker login --username AWS --password-stdin https://${ECR_AWS_ACCOUNT}.dkr.ecr.us-west-2.amazonaws.com; \
	done
Login Succeeded
Login Succeeded

EDIT: The failures are coming from Mac OSX. I was unable to reproduce from our Forge/Jenkins deployment running on EKS.

[RyanFitzSimmonsAK]

Hi, thanks for reporting this issue. I was able to reproduce the observed behavior.

C:\Users\rtsfitz>docker run --rm -it -v %userprofile%\.aws:/root/.aws public.ecr.aws/aws-cli/aws-cli:2.32.0 --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin redacted.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded

C:\Users\rtsfitz>docker run --rm -it -v %userprofile%\.aws:/root/.aws public.ecr.aws/aws-cli/aws-cli:2.32.1 --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin redacted.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded

C:\Users\rtsfitz>docker run --rm -it -v %userprofile%\.aws:/root/.aws public.ecr.aws/aws-cli/aws-cli:2.32.2 --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin redacted.dkr.ecr.us-west-2.amazonaws.com
Error response from daemon: login attempt to https://redacted.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 400 Bad Request

C:\Users\rtsfitz>docker run --rm -it -v %userprofile%\.aws:/root/.aws public.ecr.aws/aws-cli/aws-cli:2.32.3 --region us-west-2 ecr get-login-password | docker login --username AWS --password-stdin redacted.dkr.ecr.us-west-2.amazonaws.com
Error response from daemon: login attempt to https://redacted.dkr.ecr.us-west-2.amazonaws.com/v2/ failed with status: 400 Bad Request

I've marked this issue for review by our team, and will follow up as soon as I have any updates. In the meantime, there doesn't appear to be any issue with 2.32.2 itself, so using get-login-password from a local installation should work.

C:\Users\rtsfitz>aws ecr get-login-password | docker login --username AWS --password-stdin redacted.dkr.ecr.us-west-2.amazonaws.com
Login Succeeded

C:\Users\rtsfitz>aws --version
aws-cli/2.32.2 Python/3.13.9 Windows/11 exe/AMD64