Menu
I am using the aws cli, and my IAM user has full Admin rights. Our company requires MFA, so there is an MFA enforcement policy on my IAM user. To use the cli, I fetch a token using aws sts get-session-token.
This all lets me use aws cli just fine, until I try and fetch the docker login for AWS container registries. Then I get an error...
$ aws ecr get-login --registry-ids XXXXX
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::XXXXX:user/yyyyy is not authorized to perform: ecr:GetAuthorizationToken on resource: *
If I temporarily remove the MFA enforcement policy from my IAM user, then the command succeeds.
So the question is, how do I use aws ecr get-login with MFA enforcement enabled?
991
You first need to get a session token. That can be done by:
aws sts get-session-token --serial-number <arn-of-the-mfa-device> --token-code <code-generated-by-MFA-device>
The arn-of-the-mfa-device can be found by going to the user's detail in the IAM section of your AWS Console. The output of the above command will give you a session token, with other access credentials, to use. You should then run:
aws configure set aws_session_token <the-session-token-in-the-output-of-above-command>
After that, do the aws ecr login as usual.
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
