AWS lambda problem with deployment - not enough permissions-CodePudding

When I try to deploy AWS lambda from Visual Studio I get this error

Fetching ECR authorization token to use to login with the docker CLI
Error logging on with the docker CLI: User: arn:aws:sts::123456789012:assumed-role/@Infra/aws-toolkit-visualstudio-637706142753914780 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action

The IAM role I am using has these permissions:

AmazonS3FullAccess

AmazonAPIGatewayAdministrator

AmazonElasticContainerRegistryPublicFullAccess

AWSLambda_FullAccess

If I extend this list by adding AdministratorAccess then deployment is successful but I would like to limit permissions to only these which are needed.

Any idea how to extend permission to fix this problem? I already have there AmazonElasticContainerRegistryPublicFullAccess so I would expect it should be enough.

I passed fake numbers in in the error message because of security.

CodePudding user response：

You can add an inline policy to your role with just ecr:GetAuthorizationToken permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}

Please don't change: "Resource": "*". This is how it should be for ecr:GetAuthorizationToken.

If you pass this error, and get other access deny, add the missing permissions to the policy.

CodePudding user response：

Adding AmazonEC2ContainerRegistryPowerUser solved the problem.