stackoom
  简体   繁体   中英

use aws-vault to push docker image to ECR failed

 原文  2021-10-19 22:36:19       amazon-web-services/ docker/ aws-cli/ amazon-ecr

Question

I am trying to push docker image to ECR from my mac. I added identity to aws-vault, but using aws-vault failed to obtain password. My peer has the same privilege and he can login to ECR without problem.

.aws % aws-vault list                                                                                
    Profile                  Credentials              Sessions                 
    =======                  ===========              ========                 
    identity                 identity                 -                        
.aws % ENCRYPTED_PASSWORD=$(aws-vault exec identity -- aws ecr get-login-password --region us-west-2)
    
    An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::97xxxxxxxxxx:user/xxxxx.xxxxxx@xxxxxxxxx.com is not authorized to perform: ecr:GetAuthorizationToken on resource: * with an explicit deny in an identity-based policy

We are using the same role. I intend to execute the following line once ENCRYPTED_PASSWORD is obtained--

aws-vault exec identity -- aws ecr --region us-west-2 | docker login -u AWS -p ${ENCRYPTED_PASSWORD} xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-ecr

My .aws/config has this line refer to the above.

[profile identity]

Since my teammate has the same policy/permission, I don't see "GetAuthorizationToken" as an issue. What else? I'm trying to find a way to push my docker images from Mac to the ECR.

Completely redo the config, linked all roles to identity.

[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa

[profile identity]

Now is the token issue-- I entered the code from MFA Authenticator but failed

.aws % aws-vault exec xx-xxxx-main-admin  -- aws ecr get-login --region us-west-2
Warning: parent_profile is deprecated, please use include_profile instead in your AWS config
Enter token for arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxxx.xxxx@xxxxxx.com: **125492**
aws-vault: error: exec: Failed to get credentials for xx-xxxx-main-admin: AccessDenied: MultiFactorAuthentication failed, unable to validate MFA code.  Please verify your MFA serial number is valid and associated with this user.
    status code: 403, request id: 25808115-d9fa-480d-87d4-xxxxxxxxxxxxx

Doesn't look like the token is valid from Authenticator MFA

1 answers

solution1
 0  2021-10-20 16:00:48

  1. first aws-vault "GetAuthorizationToken" was caused by an unhealthy, ilformatted ~/.aws/config file. Roles must be specified with the following format--

    [profile xx-xxxx-services-monitoring] role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring source_profile=identity sparent_profile=mfa

    [profile identity]

  2. Second part is MFA issue. MFA serial number must match what you configured in your authenticator. (DUO, Authy, Authenticator...) Your ~/.aws/config should have this section--

    [profile mfa] mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxx.xxxx@xxxxx.com

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question I cant push Docker image to AWS ecr TeamCity: push docker image to AWS ECR Run Goglang with aws-vault aws-vault credentials missing How to use Docker Image in ECR with AWS EKS Docker push to AWS ECR issue Bitbucket Pipelines to build Java app, Docker image and push it to AWS ECR? How to push docker image into aws ecr using golang sdk aws cdk push image to ecr What is aws-vault actually used for?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM