Menu
I've tried to follow AWS instructions on setting ECR authorization to my user by giving the AmazonEC2ContainerRegistryFullAccess policy to my user.
However when I try to run on my PC the aws ecr get-login I get an error that I don't have permission.
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/MY_USER is not authorized to perform: ecr:GetAuthorizationToken on resource: * What have I done wrong ?
300
PDF. Retrieves an authorization token. An authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that your IAM principal has access to. The authorization token is valid for 12 hours.
The error can have a few meanings: You are not authorized because you do not have ECR policy attached to your user. You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token. You provided invalid credentials.
An authentication token is used to access any Amazon ECR registry that your IAM principal has access to and is valid for 12 hours. To obtain an authorization token, you must use the GetAuthorizationToken API operation to retrieve a base64-encoded authorization token containing the username AWS and an encoded password.
The primary difference between Amazon ECR and ECS is that while ECR provides the repository that stores all code that has been written and packaged as a Docker image, the ECS takes these files and actively uses them in the deployment of applications.
You must attach a policy to your IAM role.
I attached AmazonEC2ContainerRegistryFullAccess and it worked.
192
Here is a full answer, after I followed all steps - I was able to use ECR
The error can have a few meanings:
You are not authorized because you do not have ECR policy attached to your user
You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token
You provided invalid credentials
Here is a list of all steps to get access (including handling 2FA)
If you have 2FA enabled
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token. arn-of-the-mfa-device can be found in your profile, 2FA section. Token, is generated token from the device.AccessKeyId, SecretAccessKey, and SessionToken. AWS recommends having either cron job to refresh token, which means if you are doing it you are testing things, your prod resources most likely do not have 2FA enabled. You can increase session by providing --duration-seconds but only up to 36 hours. A good explanation can be found at authenticate-mfa-cli This should do the job
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
