I have an ECR in a prod account that I want to grant push access to from the dev role.
This is my current policy
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account:role/rolename",
"arn:aws:sts::account:assumed-role/rolename/instance",
"arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:SetRepositoryPolicy",
"ecr:StartLifecyclePolicyPreview",
"ecr:UploadLayerPart"
]
}
]
}
Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push.
I receive the following until timeout.
The push refers to repository [account.dkr.ecr.us-west-2.amazonaws.com/repo] 87e2ce75493a: Retrying in 4 seconds
My non-prod account does exist in us-east-1. but my login command specifies west.
task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin accpunt.dkr.ecr.us-west-2.amazonaws.com
Any ideas what may be my problem on this repo?
(this works with my production account so the registry is valid)
Also this works when I use my dev account and allow the user IAM
CodePudding user response:
In my case, it was the ec2 role had access to ECRs in its own account but did not have a resource giving it permission to external accounts. This is because AWS first checks resource policies but then checks the role's policy to ensure that action is also enabled for the role.