When you see the "WARNING! Using --password via the CLI is insecure" message in Docker, it's not just being overly cautious. The warning exists because passing passwords directly in the command line exposes them in:
- Shell history files (~/.bash_history)
- Process listings (visible via commands like ps)
- Any logging systems that might capture command output
Here's how to properly authenticate with ECR without triggering the warning:
aws ecr get-login-password | docker login --username AWS --password-stdin https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com
This approach:
- Generates the temporary ECR password securely
- Pipes it directly to Docker without exposing it in the command line
- Works in CI/CD pipelines and automated scripts
For a complete build and push workflow:
#!/bin/bash
# Authenticate with ECR
ECR_REGISTRY=$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com
aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_REGISTRY
# Build and push
docker build -t my-app .
docker tag my-app:latest $ECR_REGISTRY/my-app:latest
docker push $ECR_REGISTRY/my-app:latest
For cross-region deployments, you'll need to specify the region explicitly:
REGION=eu-west-1
ECR_REGISTRY=$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$REGION.amazonaws.com
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
While --password-stdin solves the immediate warning, consider these additional security measures:
- Use AWS IAM roles instead of access keys when possible
- Implement least-privilege permissions for your CI/CD system
- Rotate credentials regularly
- Consider using temporary session tokens for enhanced security
If you encounter authentication failures:
- Verify your AWS credentials are properly configured (aws configure)
- Check that the IAM user has ecr:GetAuthorizationToken permissions
- Ensure your Docker daemon is running
- Confirm the AWS region matches your ECR repository's region
When working with Amazon Elastic Container Registry (ECR), many developers encounter the warning "WARNING! Using --password via the CLI is insecure. Use --password-stdin." when executing commands like:
docker login -u AWS -p "$(aws ecr get-login-password)" \
"https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com"
This warning appears because passing passwords directly via command-line arguments can expose them in shell history or process listings. The Docker team recommends using the --password-stdin flag for improved security.
Here's the proper way to authenticate with ECR without triggering security warnings:
aws ecr get-login-password | docker login \
--username AWS \
--password-stdin \
"https://$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com"
For automation scripts or CI/CD pipelines, consider these implementations:
#!/bin/bash
# Get ECR login details
ECR_REGISTRY="$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.us-east-1.amazonaws.com"
ECR_PASSWORD=$(aws ecr get-login-password)
# Secure login
echo "$ECR_PASSWORD" | docker login --username AWS --password-stdin "$ECR_REGISTRY"
# Verify login
if [ $? -eq 0 ]; then
echo "Successfully logged in to ECR"
else
echo "Failed to authenticate with ECR" >&2
exit 1
fi
For enhanced security, you might want to handle temporary credentials:
#!/bin/bash
# Set AWS region
export AWS_DEFAULT_REGION=us-east-1
# Get temporary credentials (if using assumed roles)
aws sts get-caller-identity &> /dev/null || {
echo "AWS credentials not valid" >&2
exit 1
}
# ECR login with proper credential validation
ECR_REGISTRY=$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
aws ecr get-login-password --region $AWS_DEFAULT_REGION | \
docker login --username AWS --password-stdin $ECR_REGISTRY
If you encounter problems:
- Ensure your AWS CLI is configured with proper credentials
- Verify your IAM user has
ecr:GetAuthorizationTokenpermissions - Check that your AWS region matches your ECR repository's region
- For assumed roles, confirm the session hasn't expired