How to use the authorization token obtained from AWS ECR for performing a docker pull
The following call fetches you the TOKEN
TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')
How to pass this token information to pull a private docker image in AWS ECR
From the docs: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html
To obtain an authorization token, you must use the GetAuthorizationToken API operation to retrieve a base64-encoded authorization token containing the username AWS and an encoded password
So the auth token contains the user and password as a base64 encode string. That you can then use to login to the private repo using docker login.
The command would be something like this:
docker login --username userNameFromToken --password passwordFromToken aws_account_id.dkr.ecr.region.amazonaws.com
However I would recommend using the get-login-password cli to simplify that for you.
Again from the same docs all you have to do is this:
aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com
And you should have docker cli logged in.
And then you can just pull using a command like docker pull aws_account_id.dkr.ecr.region.amazonaws.com/your-repo-name:tag
Since you are using authorization token, this might work for you:
docker login -u AWS -p $(aws ecr get-authorization-token --profile *profileName* --region *your-region* --output text --query 'authorizationData[].authorizationToken' | base64 --decode | cut -c 5- ) ****.dkr.ecr.**-****-*.amazonaws.com
What i am doing with this is getting the authorization token, doing a base64 decode on it and removing the first 4 characters from it since the base64 decoded string is in the form of username(AWS):encoded_password. So we are removing AWS: using the cut command.
