I'm trying to setup my Node project with AWS CodeBuild.
version: 0.2
phases:
pre_build:
commands:
- $(aws ecr get-login)
- TAG="$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)"
build:
commands:
- docker build -t "${REPOSITORY}:${TAG}" .
post_build:
commands:
- docker push "${REPOSITORY}:${TAG}"
When I trigger a build, command $(aws ecr get-login)
fails:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User is not authorized to perform: ecr:GetAuthorizationToken on resource: * [Container] 2018/10/26 10:04:12 Command did not exit successfully $(aws ecr get-login) exit status 255
In IAM console, the user has these policies attached:
and both contain ecr:GetAuthorizationToken
permission.
What am I missing?
Solved. I needed to give ecr:GetAuthorizationToken
permission to the role, instead of to the user.
Had similar issue but attaching AmazonEC2ContainerRegistryReadOnly or AmazonEC2ContainerRegistryPowerUser or AmazonEC2ContainerRegistryFullAccess policies to codebuild role did nothing
Solved by creating my own policy and attaching it to codebuild role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": "%YOUR_REPOSITORY_ARN"
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.