Docker push to AWS ECR private repo failing with malformed JSON

Asked 22/12, 2015 at 20:22 Answered 26/9, 2022 at 17:10

Solved amazon-web-services docker docker-toolbox amazon-ecs

I am trying out AWS ECR and pushing a new tag to our private repossitory.

it goes like this:

export DOCKER_REGISTRY=0123123123123.dkr.ecr.us-east-1.amazonaws.com
export TAG=0.1
docker build -t vendor/app-name .
`aws ecr get-login --region us-east-1`" # generates docker login
docker tag vendor/app-name $DOCKER_REGISTRY/vendor/app-name:$TAG
docker push $DOCKER_REGISTRY/vendor/app-name:$TAG

The push refers to a repository [0123123123123.dkr.ecr.us-east-1.amazonaws.com/vendor/app-name] (len: 2)
b1a1d76b9e52: Pushing [==================================================>]     32 B/32 B
Error parsing HTTP response: unexpected end of JSON input: ""

It very well might be a misconfiguration, but I can't figure out how to get more output out of it. The command has no debug level options, there are no other logs and I can't intercept network traffic since it seems encrypted.

Nape answered 22/12, 2015 at 20:22 Comment(5)

Are there any special characters in "vendor" or "app-name"? (Presuming these aren't the real values you're using) I'd try a quick test with no hyphens, underscores, etc... – Juno 22/12, 2015 at 20:28

I chose those generics matching ours, vendor is our company name (only small letters), app-name has a dash between two words. I just tried vendor/appname and it's the same scenario – Nape 22/12, 2015 at 20:38

Also this happens both on Travis and locally – Nape 22/12, 2015 at 20:39

What about versions? ECR uses registry v2, which (I think) was introduced into docker in 1.5. Any chance the client is 1.4 or older? – Juno 22/12, 2015 at 20:48

Good idea, unfortunately: $ docker --version Docker version 1.8.1, build d12ea79 – Nape 22/12, 2015 at 20:58

Ran into the same issue. For me, ensuring that the IAM user I was pushing as had the ecr:BatchCheckLayerAvailability permission cleared this up.

I had originally intended to have a "push-only" policy and didn't realize this permission was required to push successfully.

Tarpaulin answered 22/12, 2015 at 21:59 Comment(1)

on spot, thanks! The error message sucks so hard though – Nape 22/12, 2015 at 22:39

Minimal policy you need:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ecr:UploadLayerPart",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:CompleteLayerUpload",
        "ecr:BatchCheckLayerAvailability"
      ],
      "Resource": "arn:aws:ecr:<your region>:<your account id>:repository/<your repository name>"
    }
  ]
}

Klayman answered 21/4, 2020 at 21:2 Comment(0)

In addition to @Ethan's answer: I tried to find minimal set of permissions which are needed to push a docker image to AWS registry. As of today, the minimal set is:

    {
        "Sid": "PushToEcr",
        "Effect": "Allow",
        "Action": [
            "ecr:BatchCheckLayerAvailability",
            "ecr:CompleteLayerUpload",
            "ecr:GetAuthorizationToken",
            "ecr:InitiateLayerUpload",
            "ecr:PutImage",
            "ecr:UploadLayerPart"
        ],
        "Resource": "*"
    }

As far as I understood Resource must be * because some of those actions do not work otherwise. Improvements are welcome!

Torsk answered 20/4, 2020 at 9:58 Comment(1)

The only one of those which requires * is GetAuthorizationToken -- giving the rest * is gregarious. – Carrefour 23/6, 2020 at 20:56

If you have a virtual environment folder-mine was .venv, try removing it. Build and push your image again. That worked for me

Pizzicato answered 26/9, 2022 at 17:10 Comment(0)

Recommended topics

Hot tags