I get AWS ECR exit status 255 despite using AWS ubuntu containers

Question

I am trying to build a docker container in AWS code build as a means to deploy a container to ECR, but I get this error.

Error while executing command: $(aws ecr get-login --region ap-southeast-1). Reason: exit status 255

This command was run on the buildspec.yml file, using aws/codebuild/ubuntu-base:14.04 and Enable this flag if you want to build Docker images or want your builds to get elevated privileges.

The log files are as follows:

[Container] 2018/10/11 00:52:49 Running command $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::502776083946:assumed-role/code-build-timesheet/AWSCodeBuild-f1d205b1-b03f-4727-a4d7-a02118021eec is not authorized to perform: ecr:GetAuthorizationToken on resource: *

[Container] 2018/10/11 00:52:52 Command did not exit successfully $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email) exit status 255
[Container] 2018/10/11 00:52:52 Phase complete: INSTALL Success: false
[Container] 2018/10/11 00:52:52 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email). Reason: exit status 255

Answer 1

This status code usually indicates an unauthorized user. To fix this, we need to let our Code Build role be able to talk to ECR. To do this: Go to IAM and then attach a AmazonEC2ContainerRegistryPowerUser policy to your CodeBuild role.

Answer 2

In my case, I added the permission but was still getting the same issue. Later found that my "Permissions boundary" in the IAM role was not letting the permission go through. So if you set Permission policies to allow ecr:GetAuthorizationToken but have Permissions boundary enabled as well then you need to add the same permission to the Permissions boundary (or remove Permissions boundary).