docker login to public repo: public.ecr.aws or public.ecr.aws/<registry-alias>

[user706]

Hi,

if I go to https://eu-central-1.console.aws.amazon.com/ecr/repositories?region=eu-central-1 and click Public and select a image-repo and click "View push commands", then I can read

Retrieve an authentication token and authenticate your Docker client to your registry.
Use the AWS CLI:

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/z3o4p8r4

Look at the last string above: it is public.ecr.aws/z3o4p8r4, i.e. public.ecr.aws/<registry-alias>
I do not think that this is correct. (At least not for docker-credential-pass (as available in debian here)).

Because

Bad flow with public.ecr.aws/z3o4p8r4

~/.docker/config.json

{
  "auths": {},
  "credsStore": "desktop",
  "credHelpers": {
    "public.ecr.aws/z3o4p8r4": "pass"
  }
}

Because if I do

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/z3o4p8r4
#                                                                                                                  --------
#                                                                                                                      |
#                                                                                         see this    ----------------/

followed by

docker logout public.ecr.aws/z3o4p8r4

then I can still see

~/.docker/config.json

{
  "auths": {
    "public.ecr.aws": {}           // this!!!  it's not really logged out!
  },
  "credsStore": "desktop",
  "credHelpers": {
    "public.ecr.aws/z3o4p8r4": "pass"
  }
}

Better is the following:

Good flow with public.ecr.aws (not public.ecr.aws/z3o4p8r4)

~/.docker/config.json

{
  "auths": {},
  "credsStore": "desktop",
  "credHelpers": {
    "public.ecr.aws": "pass"
  }
}

Now if I do

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
#                                                                                                                  --------
#                                                                                                                      |
#                                                                                  no repository alias ---------------/

followed by

docker logout public.ecr.aws

then I can now see

~/.docker/config.json

{
  "auths": {},                    // great! correctly logged out!
  "credsStore": "desktop",
  "credHelpers": {
    "public.ecr.aws": "pass"
  }
}

Thus the registry-alias, should not be part of the login.

Is this correct? Thanks.

[user706]

The green code snippet here:
https://docs.aws.amazon.com/AmazonECR/latest/public/getting-started-cli.html#cli-authenticate-registry

shows

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

which also suggest that using something like public.ecr.aws/<your-registry-alias> is not needed.