Could you check this http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html#error-403 ?
 

I don't think the region is the problem, as I'm using eu-central-1 region for the authentication and push:

docker.withRegistry("https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com", "ecr:eu-central-1:aws-jenkins")

Or maybe when we define the AWS in Jenkins, it tries to authenticate first within the default us-east-1 region as I have this message:

These credentials are valid but do not have access to the "AmazonEC2" service in the region "us-east-1". This message is not a problem if you need to access to other services or to other regions. Message: "You are not authorized to perform this operation. (UnauthorizedOperation)"

I don't think that the token is expired as it never worked...
And finally, my Jenkins slave is running inside a Docker container so it can't be Windows related

Is there a way to have more verbose log for this plugin?

Thanks for your help!

I tested this pipeline on core 1.625 with plugin 1.14 and it works, I will make a test with 2.46 and last versions of Pipeline plugins  I will keep you posted

node {
env.DOCKER_CERT_PATH="/home/user/.docker/machine/machines/default"
env.DOCKER_HOST="tcp://192.168.99.100:2376"
env.DOCKER_MACHINE_NAME="default"
env.DOCKER_TLS_VERIFY="1"
stage 'Checkout'
git 'https://github.com/kuisathaverat/docker-simplesamlphp.git'

stage 'Docker build'
docker.build('ecr-test')

stage 'Docker push'
docker.withRegistry("https://MYID.dkr.ecr.us-east-1.amazonaws.com/", "ecr:us-east-1:A27a5746a-f9d9-4e68-ad8a-c5df772cac53") {
docker.image('ecr-test').push('latest')
}
}

I tested with default region us-east-1 and I got the same error...

But in case it could help, we see in the logs that /root/.dockercfg contains 2 authentifications (eu-central-1 and us-east-1) :

[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Push latest)
[Pipeline] withEnv
[Pipeline] {
[Pipeline] withDockerRegistry
Wrote authentication to /root/.dockercfg
[Pipeline] {
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ cat /root/.dockercfg
{
"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {
"auth": "[...]",
"email": "nobody@example.com"
},
"https://<my-aws-id>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "[...]",
"email": "nobody@example.com"
}
}[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker tag --force=true my-image:latest <my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image:latest
Warning: '--force' is deprecated, it will be removed soon. See usage.
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker push <my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image:latest
The push refers to a repository [<my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image]
e30bf54e0f87: Preparing
b9f2c30c0d28: Preparing
5defc95691fd: Preparing
295d6a056bfd: Preparing
no basic auth credentials

I'm having the same problem here.

I started with eu-central-1 too, but could replicate with us-east-1.

cthiebault the eu-central-1 entry in your .dockercfg is from previous runs, new credentials are added to the existing file.

sidenote: I'm successfully using the ecr-plugin in the same Jenkins instance with the same credentials in a traditional freestyle project. 

I've updated to 1.6 version and I still have same error using Jenkinsfile but I also get it in a regular freestyle project

Here is the log for freestyle project:

Successfully built e5053a59f190
[docker-compilers] $ docker tag e5053a59f190 <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
[docker-compilers] $ docker inspect e5053a59f190
[docker-compilers] $ docker push <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:jessie
The push refers to a repository [<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image]
044e3cd6bd81: Preparing
6170631db5ee: Preparing
324428c1fd95: Preparing
8d4d1ab5ff74: Preparing
no basic auth credentials
Build step 'Docker Build and Publish' marked build as failure
Finished: FAILURE

Here is my job config:

I have to test it but I think that it is related to docker-workflow plugin

I tested with Jenkins core 2.46.2, amazon-ecr 1.6, Pipeline 1.14.2, docker pipeline 1.11, Credentials 2.1.13, and Docker 1.11.2, I could not replicate it, now I will upgrade plugins to the last versions and test it again

I was unable to replicate with this plugin set, Could you check which version you use?

• amazon-ecr:1.6 'Amazon ECR plugin'
• aws-credentials:1.19 'CloudBees Amazon Web Services Credentials Plugin'
• aws-java-sdk:1.11.119 'Amazon Web Services SDK'
• credentials:2.1.13 'Credentials Plugin'
• credentials-binding:1.11 'Credentials Binding Plugin'
• docker-build-publish:1.3.2 'CloudBees Docker Build and Publish plugin'
• docker-commons:1.6 'Docker Commons Plugin'
• docker-workflow:1.11 'Docker Pipeline'
• git:3.3.0 'Jenkins Git plugin'
• git-client:2.4.5 'Jenkins Git client plugin'
• pipeline-build-step:2.5 'Pipeline: Build Step'
• pipeline-graph-analysis:1.3 'Pipeline Graph Analysis Plugin'
• pipeline-input-step:2.7 'Pipeline: Input Step'
• pipeline-milestone-step:1.3.1 'Pipeline: Milestone Step'
• pipeline-model-api:1.1.4 'Pipeline: Model API'
• pipeline-model-declarative-agent:1.1.1 'Pipeline: Declarative Agent API'
• pipeline-model-definition:1.1.4 'Pipeline: Model Definition'
• pipeline-model-extensions:1.1.4 'Pipeline: Declarative Extension Points API'
• pipeline-rest-api:2.6 'Pipeline: REST API Plugin'
• pipeline-stage-step:2.2 'Pipeline: Stage Step'
• pipeline-stage-tags-metadata:1.1.4 'Pipeline: Stage Tags Metadata'
• pipeline-stage-view:2.6 'Pipeline: Stage View Plugin'
• pipeline-utility-steps:1.3.0 'Pipeline Utility Steps'
• plain-credentials:1.4 'Plain Credentials Plugin'
• script-security:1.27 'Script Security Plugin'
• workflow-aggregator:2.5 'Pipeline'
• workflow-api:2.15 'Pipeline: API'
• workflow-basic-steps:2.4 'Pipeline: Basic Steps'
• workflow-cps:2.31 'Pipeline: Groovy'
• workflow-cps-global-lib:2.8 'Pipeline: Shared Groovy Libraries'
• workflow-durable-task-step:2.11 'Pipeline: Nodes and Processes'
• workflow-job:2.11 'Pipeline: Job'
• workflow-multibranch:2.14 'Pipeline: Multibranch'
• workflow-scm-step:2.4 'Pipeline: SCM Step'
• workflow-step-api:2.10 'Pipeline: Step API'
• workflow-support:2.14 'Pipeline: Supporting APIs'

Here is my setup:
 

cthiebault Do you have a proxy configured on Jenkins?

I obtained sometimes a token has expired error but it is not consistent if you run the job again it works

denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.

Could you add these loggers on  level ALL to those packages to see if we could see something else?

com.cloudbees.jenkins.plugins.amazonecr

com.amazonaws

org.apache.http.wire

org.jenkinsci.plugins.docker.workflow

The issue that I detected about "Token has expired" seems a known issue https://stackoverflow.com/questions/41379808/authorization-token-has-expired-issue-aws-cli-on-macos-sierra and I found a workaround on https://github.com/buildkite/elastic-ci-stack-for-aws/issues/178 if you set the variable "-env.AWS_ECR_LOGIN=true" in your pipeline the issue it is resolved it is something on the- docker-.withregistry -step

 in these cases, you have to check that you do not have a $HOME/.docker/config.json file

denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.

Jenkins is ran by Rancher so it's behind an HAProxy.

As I had problems with ECR plugin, I'm now using slaves with aws-cli installed...

I've re-enabled ECR plugin but my slave still have aws-cli installed. I've attached the [^ecr.log] for 

docker.withRegistry("https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com", "ecr:eu-central-1:jenkins")

The Amazon ECR Plugin get the token from Amazon correctly, so it is failing inside the `docker.withRegistry` step, Did you add the `-env.AWS_ECR_LOGIN=true` before this step?

Jun 19, 2017 10:07:40 AM FINE com.amazonaws.http.response.AwsResponseHandlerAdapter logHeaderRequestId x-amzn-RequestId: 5d5b94b2-54c6-11e7-95e8-31a2432646a5 Jun 19, 2017 10:07:40 AM FINE com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential Success

Please, remove the ecr.log from this Jira or invalidate the Token generated on AWS, it is valid to access to your Amazon ECR for about 24 hours

Thanks for the info, I removed the logs!

No I didn't add env.AWS_ECR_LOGIN, I'll try it now.

Here are the ecr2.log with env.AWS_ECR_LOGIN. 

I hope I removed sensitive data this time

you have to check the token in $HOME/.dockercfg with the token on the logs to be sure that it is the same, Which Docker CLI version you use?
+ cat /root/.dockercfg
{"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {"auth": "[...]","email": "nobody@example.com"}}
 

I tried both setting `env.AWS_ECR_LOGIN = true` and `env.AWS_ECR_DISABLE_CACHE = true` but still got the message

`Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.`

Had to delete the `~/.dockercfg` file to get it working.

Same experience here setting the suggested environment variables.

I'm unsure as to why the issue is closed whilst a fix hasn't been agreed/documented?

eggsy1984 This issue is closed because it is not related to ECR Plugin, it does not save anything to disk or interact with docker,  ECR Plugin only accesses to Amazon ECR to request a token to create a virtual credential on Jenkins, This issue could be related with docker or to docker-workflow-plugin dunno

No problem ifernandezcalvo thank you for the clarification

Just wanted to leave a note here for anyone stumbling across this whilst trying to debug. I had the same problem and chased it down to how the docker-commons plugin uses docker configs. It seems that it will only use/save to the newer .docker/config.json if it already exists, otherwise it saves auths to the .dockercfg file (which is then ignored depending on your docker version/setup).

I had to add both the environment variable DOCKER_CONFIG=$JENKINS_HOME/.docker and create a stub config.json file with the content '{"auths":{}}' within that DOCKER_CONFIG dir. Once I did both of these things, it all worked perfectly.

tictocs a question for you, if you will. I too ran into this problem and noticed that the $JENKINS_HOME that this ECR plugin runs with differed from the $JENKINS_HOME that the docker plugin used. This essentially caused the config.json to be written to one place while docker looked in another. Was this the case for you too?

I forgot to put this workaround here, this removes the docker credentials before create new ones from Amazon ECR

node {
        //cleanup current user docker credentials
        sh 'rm  ~/.dockercfg || true'
        sh 'rm ~/.docker/config.json || true'
        
        //configure registry
        docker.withRegistry('https://ID.ecr.eu-west-1.amazonaws.com', 'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a') {
          
            //build image
            def customImage = docker.build("my-image:${env.BUILD_ID}")
            
            //push image
            customImage.push()
        }