Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

I get AWS ECR exit status 255 despite using AWS ubuntu containers

I am trying to build a docker container in AWS code build as a means to deploy a container to ECR, but I get this error.

Error while executing command: $(aws ecr get-login --region ap-southeast-1). Reason: exit status 255

enter image description here

This command was run on the buildspec.yml file, using aws/codebuild/ubuntu-base:14.04 and Enable this flag if you want to build Docker images or want your builds to get elevated privileges.

The log files are as follows:

[Container] 2018/10/11 00:52:49 Running command $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::502776083946:assumed-role/code-build-timesheet/AWSCodeBuild-f1d205b1-b03f-4727-a4d7-a02118021eec is not authorized to perform: ecr:GetAuthorizationToken on resource: *

[Container] 2018/10/11 00:52:52 Command did not exit successfully $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email) exit status 255
[Container] 2018/10/11 00:52:52 Phase complete: INSTALL Success: false
[Container] 2018/10/11 00:52:52 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email). Reason: exit status 255
like image 635
Moses Liao GZ Avatar asked Oct 08 '18 01:10

Moses Liao GZ


2 Answers

This status code usually indicates an unauthorized user. To fix this, we need to let our Code Build role be able to talk to ECR. To do this: Go to IAM and then attach a AmazonEC2ContainerRegistryPowerUser policy to your CodeBuild role.

like image 111
Kentoy Avatar answered Sep 25 '22 13:09

Kentoy


In my case, I added the permission but was still getting the same issue. Later found that my "Permissions boundary" in the IAM role was not letting the permission go through. So if you set Permission policies to allow ecr:GetAuthorizationToken but have Permissions boundary enabled as well then you need to add the same permission to the Permissions boundary (or remove Permissions boundary).

enter image description here

like image 20
Kanak Singhal Avatar answered Sep 22 '22 13:09

Kanak Singhal