Geek Answers Handbook

AWS ECR GetAuthorizationToken

I tried to follow AWS instructions for setting ECR authorization for my user by providing my AmazonEC2ContainerRegistryFullAccess policy.

However, when I try to run aws ecr get-login on my PC, I get an error that I do not have permission.

 An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/MY_USER is not authorized to perform: ecr:GetAuthorizationToken on resource: *

What I did wrong?

+26
source share
7 answers

I found out that when 2FA is enabled, there is no way to use aws ecr get-login, as soon as I remove 2FA from my account, I got an authorization token

+8
source

You must attach the policy to your IAM role.

I plugged in AmazonEC2ContainerRegistryFullAccess and it worked.

+32
source

As shown in the error description, I must enable the "GetAuthorizationToken" action in my policy.

  { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" }

Note. This is not a complete policy, but the "Statement" subsection.

+3
source

In the end, I used AmazonEC2ContainerRegistryPowerUser, as it seemed to me a better option than full access. Here are the rules that I found as of June 2019: Container Registry Permissions

+2
source

I had the same problem with ECS when I tried to push my container into the repository.

To solve this problem, I attached IAM to my role: AmazonECS_FullAccess

+1
source

Here is the complete answer, after I completed all the steps - I was able to use ECR

The error can have 2 values:

1) You are not authorized because the ECR policy is not tied to your user

2) You are not authorized because you are using 2FA, and using cli is not safe unless you set a temporary session token

Here is a list of all the steps to gain access (including 2FA processing)

  1. First of all, you must create a policy that gives you access to the GetAuthorizationToken action in the ECR.
  2. Attach this policy to either the user or the group (IMHO are always better for groups / roles, my voice is for roles, for example, DevOps)
  3. Verify that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are set in your environment. I recommend using the aws folder with shared credentials and profiles.

If you have 2FA enabled

  1. You need to generate a session token using this command aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token . arn-of-the-mfa-device can be found in your profile, section 2FA. Token generated token from the device.
  2. Update aws credentials with AccessKeyId , SecretAccessKey and SessionToken . AWS recommends using a cron job to update the token, which means that if you do this, you are testing something, most likely 2FA is not enabled in your prod resources. You can increase the session by providing --duration-seconds , but only up to 36 hours. A good explanation can be found at authenticate-mfa-cli

That should do the job.

+1
source

I have the same problem, but I previously set the permission boundary only s3, which causes the problem.

Removed permission boundary , it worked like a charm

0
source

More articles:


All Articles