docker
2FA Beta: "unauthorized: please use personal access token to login" on OSX
I was pointed here from the 2FA announcement, apologies if this report should go somewhere else.
Problem description
I enabled 2FA a little while ago, but (apparently) hadn't done any command-line docker work since then. When I tried today I got a weird error when docker pull-ing public images:
$ docker pull koalaman/scbuilder:latest
Error response from daemon: Get https://registry-1.docker.io/v2/koalaman/scbuilder/manifests/latest: unauthorized: please use personal access token to login
Initially I thought this was some sort of ACL or restriction on who could pull the image, but that didn't seem to be the case looking at https://hub.docker.com/r/koalaman/scbuilder. I verified I was logged in on Docker Desktop, but docker login failed:
$ docker login
Authenticating with existing credentials...
Stored credentials invalid or expired
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username (dimo414):
Password:
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: please use personal access token to login
I decided to log-out of Docker Desktop, and when I logged back in it asked me for my 2FA. Once I'd provided that the docker command line started working as expected again.
What I Expected
- Docker Desktop should have been logged out when I enabled 2FA. It seems it was stuck in a state where it thought it was logged in, but it really wasn't.
dockercommand line should provide more guidance than just "please use personal access token to login". If it had mentioned 2FA anywhere I would have realized I needed to re-log-in, but discussing PATs made me think the issue was with the image I was pullingdocker loginshould be 2FA-aware, or if that's not feasible it should say "Please reauthenticate with Docker Desktop" or something to that effect.
I just stumbled on this problem quite by accident, but this time it was with my pull-through image cache. I was getting 500 errors from the local registry cache and wasn't sure why, until I curl'd the url that was giving the 500 and saw this same error returned from the registry cache: the fix was to use a PAT in my pull-through cache to authenticate to docker hub.
We are clearing up our old issues and your ticket has been open for 6 months with no activity. Remove stale label or comment or this will be closed in 15 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I mean, it's only stale because no maintainers have responded.... from the thumbs ups it seems like others have observed the same issue.
We are clearing up our old issues and your ticket has been open for 6 months with no activity. Remove stale label or comment or this will be closed in 15 days.
See https://github.com/docker/hub-feedback/issues/1981#issuecomment-855194649
I'm not sure if this is the answer but I ran into the same problem after activating the 2FA on Docker and this seemed to solve it https://docs.docker.com/docker-hub/access-tokens/#use-an-access-token You just use a token at the place of the password after activating 2FA
This bug report is that the behavior of the docker CLI when 2FA is enabled is confusing and/or broken.