GetAuthorizationToken permission error in AWS CodeBuild
Question
I'm trying to setup my Node project with AWS CodeBuild.
version: 0.2
phases:
pre_build:
commands:
- $(aws ecr get-login)
- TAG="$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)"
build:
commands:
- docker build -t "${REPOSITORY}:${TAG}" .
post_build:
commands:
- docker push "${REPOSITORY}:${TAG}"
When I trigger a build, command $(aws ecr get-login) fails:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User is not authorized to perform: ecr:GetAuthorizationToken on resource: * [Container] 2018/10/26 10:04:12 Command did not exit successfully $(aws ecr get-login) exit status 255
In IAM console, the user has these policies attached:
- AmazonEC2ContainerRegistryFullAccess
- AmazonEC2ContainerRegistryPowerUser
and both contain ecr:GetAuthorizationToken permission.
What am I missing?
2 answers
solution1
3 ACCPTED 2018-10-26 10:33:14
Solved. I needed to give ecr:GetAuthorizationToken permission to the role, instead of to the user.
solution2
3 2022-06-16 19:15:19
Had similar issue but attaching AmazonEC2ContainerRegistryReadOnly or AmazonEC2ContainerRegistryPowerUser or AmazonEC2ContainerRegistryFullAccess policies to codebuild role did nothing
Solved by creating my own policy and attaching it to codebuild role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": "%YOUR_REPOSITORY_ARN"
}
]
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.