Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS ECR Access Denied Error: Troubleshooting 'ecr:GetAuthorizationToken' Issue in EKS

0

I encountered an issue with AWS ECR where I'm getting an "ecr:GetAuthorizationToken" access denied error.

I've created a service account on my EKS and attached a role with full access to ECR. The policy attached to the role includes the "ecr:GetAuthorizationToken" action.

Here's the format of my IAM role's trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{ACC-ID}:oidc-provider/{OIDC URL}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "{OIDC URL}:sub": "system:serviceaccount:{NAMESPACE}:{SA-NAME}"
                }
            }
        }
    ]
}

However, when attempting to sign in to ECR from a pod, I'm encountering the following error:

Error: An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::{ACC-ID}:assumed-role/ecr-sa/botocore-session-1706359714 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action Access denied

What could be causing this issue, and how can I resolve it?

Themen
BehälterSicherheit, Identität & Konformität
Tags
Amazon Elastischer Container-Registry (ECR)Amazon Elastic Kubernetes DienstIAM-Richtlinien
Sprache
English
Aswin
gefragt vor 3 Monaten538 Aufrufe
1 Antwort
2
Akzeptierte Antwort

Hi,

Your issue is probably not in the trust policy for the role but in the authorizations given to this role.

Have a look at https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html

You can use your Amazon ECR images with Amazon EKS, but you need to satisfy 
the following prerequisites.

For Amazon EKS workloads hosted on managed or self-managed nodes, the Amazon 
EKS worker node IAM role (NodeInstanceRole) is required. The Amazon EKS worker 
node IAM role must contain the following IAM policy permissions for Amazon ECR.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}

Best,

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 3 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 2 Monaten
profile picture
EXPERTE
Riku_Kobayashi
überprüft vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt