AWS ECR GetAuthorizationToken

Question

I've tried to follow AWS instructions on setting ECR authorization to my user by giving the AmazonEC2ContainerRegistryFullAccess policy to my user.

However when I try to run on my PC the aws ecr get-login I get an error that I don't have permission.

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/MY_USER is not authorized to perform: ecr:GetAuthorizationToken on resource: *

What have I done wrong ?

MFA can also cause this issue – Arun Killu Oct 16 '20 at 06:33 — Arun Killu, Oct 16 '20 at 06:33

score 67 · Answer 1 · answered Sep 25 '16 at 08:03

67

You must attach a policy to your IAM role.

I attached AmazonEC2ContainerRegistryFullAccess and it worked.

answered Sep 25 '16 at 08:03

fegoulart

844
7
9

2

I've found out that when 2FA is enabled there is no option to use the aws ecr get-login, once I've removed the 2FA from my account I got the authorization token. – Y. Eliash Sep 28 '16 at 08:25
@Y.Eliash how is 2FA disabled? Where do I find that window. AWS is huge. – Calicoder Nov 30 '18 at 17:22
6

For future readers - If your role only needs to read (not write or edit) then `AmazonEC2ContainerRegistryReadOnly` is sufficient. – Fizk Feb 19 '19 at 12:45
1

Yep, that also did it for me. Saved the day bro :-D – Lawrence Apr 02 '19 at 14:36

Taras Matsyk · Answer 2 · 2019-09-30T06:51:21.563

Here is a full answer, after I followed all steps - I was able to use ECR

The error can have 2 meanings:

1) You are not authorized because you do not have ECR policy attached to your user

2) You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token

Here is a list of all steps to get access (including handling 2FA)

First of all, you have to create a policy that gives you access to GetAuthorizationToken action in ECR.
Attach this policy either to a user or a group (groups/roles are IMHO always better approach, my vote to roles, e.g. DevOps)
Make sure you have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set in your environment. I recommend to use aws folder with credentials and profiles separated.

If you have 2FA enabled

You need to generate session token using this command aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token. arn-of-the-mfa-device can be found in your profile, 2FA section. Token, is generated token from the device.
Update aws credentails with received AccessKeyId, SecretAccessKey, and SessionToken. AWS recommends having either cron job to refresh token, which means if you are doing it you are testing things, your prod resources most likely do not have 2FA enabled. You can increase session by providing --duration-seconds but only up to 36 hours. A good explanation can be found at authenticate-mfa-cli

This should do the job

score 8 · Accepted Answer · answered Mar 12 '17 at 16:54

8

I've found out that when 2FA is enabled there is no option to use the aws ecr get-login, once I've removed the 2FA from my account I got the authorization token

answered Mar 12 '17 at 16:54

Y. Eliash

1,090
1
11
20

1

aws get-session-token can get a token from MFA - http://docs.aws.amazon.com/cli/latest/reference/sts/get-session-token.html – Sibelius Seraphini Mar 21 '17 at 12:00
3

if you have setup 2FA and used a custom aws profile in your local .aws/credentials file you have to provide the name of this profile you want to use. In my case i have a profile named "MFA" so i have to add a "--profile mfa" to almost every command. Or you can "export AWS_PROFILE=mfa" in your current shell. So, for running this command with an custom aws profile in my case: "aws ecr get-login --region eu-central-1 --no-include-email --profile mfa" - change "mfa" with your profile name – Thomas Fritz May 03 '19 at 13:33

score 8 · Answer 4 · answered Aug 27 '18 at 17:04

Just as it appears in the error description, I have to allow action "GetAuthorizationToken" in my policy.

    {
        "Sid": "VisualEditor2",
        "Effect": "Allow",
        "Action": "ecr:GetAuthorizationToken",
        "Resource": "*"
    }

Note: This is not my full policy but a subsection of Statement.

score 8 · Answer 5 · answered Jun 28 '19 at 12:38

8

I ended up using AmazonEC2ContainerRegistryPowerUser as seemed a better option than Full Access. Here are the policies I found as of June 2019:

answered Jun 28 '19 at 12:38

iheggie

1,703
19
21

score 2 · Answer 6 · answered Feb 21 '19 at 11:31

2

I had the same problem with ECS when I tried to push my container in the repository.

To solve it, I attached to my IAM role this : AmazonECS_FullAccess

answered Feb 21 '19 at 11:31

Maxime

303
4
15

this worked for me. – Tamas Kalman Dec 01 '20 at 08:27

score 1 · Answer 7 · answered Jan 26 '21 at 19:53

1

This was my guy EC2InstanceProfileForImageBuilderECRContainerBuilds

answered Jan 26 '21 at 19:53

Akongnwi Devert

869
10
10

score 0 · Answer 8 · answered Jul 01 '19 at 11:04

0

I have the same problem, but I have set the permission boundary only to s3 previously that causes the issue.

Removed the permission boundary ,it worked like a charm

answered Jul 01 '19 at 11:04

jeyanthinath

841
1
10
20

score 0 · Answer 9 · answered May 03 '21 at 12:26

For me:

              - Effect: Allow
                Sid: VisualEditor2
                Action:
                  - ecr:GetAuthorizationToken
                  - ecr:BatchGetImage
                  - ecr:GetDownloadUrlForLayer
                Resource: "*"

AWS ECR GetAuthorizationToken

9 Answers9

Linked