Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS ECR GetAuthorizationToken

Tags:

amazon-web-services

aws-cli

amazon-ec2

amazon-ecr

I've tried to follow AWS instructions on setting ECR authorization to my user by giving the AmazonEC2ContainerRegistryFullAccess policy to my user.

However when I try to run on my PC the aws ecr get-login I get an error that I don't have permission.

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/MY_USER is not authorized to perform: ecr:GetAuthorizationToken on resource: *

What have I done wrong ?

like image 300
Y. Eliash Avatar asked Jul 26 '16 10:07

Y. Eliash

People also ask

What is ECR GetAuthorizationToken?

PDF. Retrieves an authorization token. An authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that your IAM principal has access to. The authorization token is valid for 12 hours.

Is not authorized to perform ECR GetAuthorizationToken on?

The error can have a few meanings: You are not authorized because you do not have ECR policy attached to your user. You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token. You provided invalid credentials.

How can I get ECR authentication token?

An authentication token is used to access any Amazon ECR registry that your IAM principal has access to and is valid for 12 hours. To obtain an authorization token, you must use the GetAuthorizationToken API operation to retrieve a base64-encoded authorization token containing the username AWS and an encoded password.

What is the difference between AWS ECR and ECS?

The primary difference between Amazon ECR and ECS is that while ECR provides the repository that stores all code that has been written and packaged as a Docker image, the ECS takes these files and actively uses them in the deployment of applications.

Video Answer

2 Answers

You must attach a policy to your IAM role.

I attached AmazonEC2ContainerRegistryFullAccess and it worked.

like image 192
fegoulart Avatar answered Sep 17 '22 16:09

fegoulart

Here is a full answer, after I followed all steps - I was able to use ECR

The error can have a few meanings:

  1. You are not authorized because you do not have ECR policy attached to your user

  2. You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token

  3. You provided invalid credentials

Here is a list of all steps to get access (including handling 2FA)

  1. First of all, you have to create a policy that gives you access to GetAuthorizationToken action in ECR.
  2. Attach this policy either to a user or a group (groups/roles are IMHO always better approach, my vote to roles, e.g. DevOps)
  3. Make sure you have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set in your environment. I recommend to use aws folder with credentials and profiles separated.

If you have 2FA enabled

  1. You need to generate session token using this command aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token. arn-of-the-mfa-device can be found in your profile, 2FA section. Token, is generated token from the device.
  2. Update aws credentails with received AccessKeyId, SecretAccessKey, and SessionToken. AWS recommends having either cron job to refresh token, which means if you are doing it you are testing things, your prod resources most likely do not have 2FA enabled. You can increase session by providing --duration-seconds but only up to 36 hours. A good explanation can be found at authenticate-mfa-cli

This should do the job

like image 41
taras Avatar answered Sep 20 '22 16:09

taras
Sign in to Comment

Related questions

CloudFront + S3 Website: "The specified key does not exist" when an implicit index document should be displayed
How to change the AWS account using the Elastic Beanstalk CLI
Amazon Cognito "A client attempted to write unauthorized attribute"
Is it better to have multiple s3 buckets or one bucket with sub folders?
AWS create role - Has prohibited field
Are S3 buckets region specific?
where do I keep my amazon .pem file on a mac
how to clean up docker overlay directory?
S3: make a public folder private again?
Amazon MWS - request signature calculated does not match the signature provided
AWS Lambda : OpenBLAS WARNING - could not determine the L2 cache size on this system, assuming 256k - While using Google Custom Search API
Difference between AWS DynamoDB vs. AWS DocumentDB(Newly launched service)? [closed]
Cognito User Pool: How to refresh Access Token using Refresh Token
Amazon S3 lifecycle retroactive application
Elastic Beanstalk without Elastic Load Balancer
Does Amazon S3 support HTTP request with basic authentication
NodeJS How do I Download a file to disk from an aws s3 bucket?
Exclude multiple folders using AWS S3 sync
Emulating Amazon SQS during development
I cannot install aws cli on mac os with pip - awscli: command not found

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!