When I try to deploy AWS lambda from Visual Studio I get this error
Fetching ECR authorization token to use to login with the docker CLI
Error logging on with the docker CLI: User: arn:aws:sts::123456789012:assumed-role/@Infra/aws-toolkit-visualstudio-637706142753914780 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
The IAM role I am using has these permissions:
AmazonS3FullAccess
AmazonAPIGatewayAdministrator
AmazonElasticContainerRegistryPublicFullAccess
AWSLambda_FullAccess
If I extend this list by adding AdministratorAccess then deployment is successful but I would like to limit permissions to only these which are needed.
Any idea how to extend permission to fix this problem? I already have there AmazonElasticContainerRegistryPublicFullAccess so I would expect it should be enough.
I passed fake numbers in in the error message because of security.
CodePudding user response:
You can add an inline policy to your role with just ecr:GetAuthorizationToken
permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
Please don't change: "Resource": "*"
. This is how it should be for ecr:GetAuthorizationToken
.
If you pass this error, and get other access deny, add the missing permissions to the policy.
CodePudding user response:
Adding AmazonEC2ContainerRegistryPowerUser solved the problem.