AWS ECR GetAuthorizationToken
Amazon Web-ServicesAmazon Ec2Aws CliAmazon EcrAmazon Web-Services Problem Overview
I've tried to follow AWS instructions on setting ECR authorization to my user by giving the AmazonEC2ContainerRegistryFullAccess
policy to my user.
However when I try to run on my PC the aws ecr get-login
I get an error that I don't have permission.
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/MY_USER is not authorized to perform: ecr:GetAuthorizationToken on resource: *
What have I done wrong ?
Amazon Web-Services Solutions
Solution 1 - Amazon Web-Services
You must attach a policy to your IAM role.
I attached AmazonEC2ContainerRegistryFullAccess and it worked.
Solution 2 - Amazon Web-Services
Here is a full answer, after I followed all steps - I was able to use ECR
The error can have a few meanings:
-
You are not authorized because you do not have ECR policy attached to your user
-
You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token
-
You provided invalid credentials
Here is a list of all steps to get access (including handling 2FA)
- First of all, you have to create a policy that gives you access to GetAuthorizationToken action in ECR.
- Attach this policy either to a user or a group (groups/roles are IMHO always better approach, my vote to roles, e.g. DevOps)
- Make sure you have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set in your environment. I recommend to use aws folder with credentials and profiles separated.
If you have 2FA enabled
- You need to generate session token using this command
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
.arn-of-the-mfa-device
can be found in your profile, 2FA section. Token, is generated token from the device. - Update aws credentails with received
AccessKeyId
,SecretAccessKey
, andSessionToken
. AWS recommends having either cron job to refresh token, which means if you are doing it you are testing things, your prod resources most likely do not have 2FA enabled. You can increase session by providing--duration-seconds
but only up to 36 hours. A good explanation can be found at authenticate-mfa-cli
This should do the job
Solution 3 - Amazon Web-Services
I ended up using AmazonEC2ContainerRegistryPowerUser as seemed a better option than Full Access. Here are the policies I found as of June 2019:
Solution 4 - Amazon Web-Services
Just as it appears in the error description, I have to allow action "GetAuthorizationToken" in my policy.
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
Note: This is not my full policy but a subsection of Statement.
Solution 5 - Amazon Web-Services
I've found out that when 2FA is enabled there is no option to use the aws ecr get-login, once I've removed the 2FA from my account I got the authorization token
Solution 6 - Amazon Web-Services
The user must have GetAuthorizationToken for all resources on ECR. To make the policy tight, you can grant all actions only to the desired registry and only the ecr:GetAuthorizationToken to all resources. Here is an example policy to attach to your user:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Effect": "Allow",
"Resource": "<REPOSITORY_ARN_HERE>"
},
{
"Action": [
"ecr:GetAuthorizationToken",
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Solution 7 - Amazon Web-Services
I had the same problem with ECS when I tried to push my container in the repository.
To solve it, I attached to my IAM role this : AmazonECS_FullAccess
Solution 8 - Amazon Web-Services
This was my guy EC2InstanceProfileForImageBuilderECRContainerBuilds
Solution 9 - Amazon Web-Services
For me:
- Effect: Allow
Sid: VisualEditor2
Action:
- ecr:GetAuthorizationToken
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Resource: "*"
Solution 10 - Amazon Web-Services
I have the same problem, but I have set the permission boundary
only to s3 previously that causes the issue.
Removed the permission boundary
,it worked like a charm