Can you. run “aws ecr get-login-password” when using an assumed role?
Question
Currently I want to interact with an ECR repository that I have access to via an assumed role.
How do I run:
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin accountId.dkr.ecr.us-east-1.amazonaws.com
docker pull respositylocation:tag
So that I am able to assume the role, and pull the docker image.
I am able to run other commands within AWS and successfully assume a role to execute the command. It is specifically the aws ecr get-login-password that I am unable to run successfully.
1 answers
solution1
2 ACCPTED 2020-07-31 23:01:35
Yes, of course you can. That's how, for example, CodeBuild logins to the ECR - by using its role.
For this, your role would need to have needed permissions to use ECR. By the example of CodeBuild, your role could have the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRPullPolicy",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": [
"*"
]
},
{
"Sid": "ECRAuthPolicy",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
}
]
}
There could be other permissions needed for the role, such as for S3. But the ECR access should be sufficiently handled by the above.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.