ECR Public で「Your authorization token has expired. Reauthenticate and try again.」を回避するには

困っていた内容

ECR Public からイメージをプルしたところ、認証エラーになりました。対処方法を教えてください。

$ docker pull public.ecr.aws/docker/library/alpine:latest
Error response from daemon: pull access denied for public.ecr.aws/docker/library/alpine, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.

どう対応すればいいの?

ECR Public に再認証してください。

# コマンド例
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

# 実行例
$ aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
WARNING! Your password will be stored unencrypted in /home/cloudshell-user/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

ECR Public の認証に使用するトークンは、有効期限が 12 時間に設定されています。

有効期限が切れると、上記のような認証エラーが発生するため、再認証を行なってください。

なお、プルの場合は匿名によるプルも可能なため、ログアウトによる対応も選択肢となります。

# コマンド例
docker logout public.ecr.aws

# 実行例
$ docker logout public.ecr.aws
Removing login credentials for public.ecr.aws

参考資料

• Registry authentication in Amazon ECR public - Amazon ECR Public

An authentication token is used to access any Amazon ECR public registry that your IAM principal has access to and is valid for 12 hours. The authentication token is also used to pull any images from a public repository on the Amazon ECR Public Gallery.

• Amazon ECR Public troubleshooting - Amazon ECR Public

Issue: When performing an unauthenticated pull from an Amazon ECR Public repository, you receive an authentication token expired response. This is likely due to the fact that you've previously requested an authentication token from Amazon ECR Public and that token has expired. When the new Amazon ECR Public image pull is performed, the expired token is used and the error is received. The following is an example error.
Error response from daemon: pull access denied for public.ecr.aws/registry_alias/repository_name, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.
Resolution: To resolve this issue, you can either re-authenticate to Amazon ECR Public or you can log your Docker CLI out of the Amazon ECR Public registry and re-attempt your unauthenticated image pull.
docker logout public.ecr.aws