AWS ECR Access Denied Error: Troubleshooting 'ecr:GetAuthorizationToken' Issue in EKS

Question

I encountered an issue with AWS ECR where I'm getting an "ecr:GetAuthorizationToken" access denied error.

I've created a service account on my EKS and attached a role with full access to ECR. The policy attached to the role includes the "ecr:GetAuthorizationToken" action.

Here's the format of my IAM role's trust policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{ACC-ID}:oidc-provider/{OIDC URL}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "{OIDC URL}:sub": "system:serviceaccount:{NAMESPACE}:{SA-NAME}"
                }
            }
        }
    ]
}

```

However, when attempting to sign in to ECR from a pod, I'm encountering the following error:

```
Error: An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::{ACC-ID}:assumed-role/ecr-sa/botocore-session-1706359714 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action Access denied
```

What could be causing this issue, and how can I resolve it?

Accepted Answer

Hi,

Your issue is probably not in the trust policy for the role but in the authorizations given to this role.

Have a look at https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html

```
You can use your Amazon ECR images with Amazon EKS, but you need to satisfy 
the following prerequisites.

For Amazon EKS workloads hosted on managed or self-managed nodes, the Amazon 
EKS worker node IAM role (NodeInstanceRole) is required. The Amazon EKS worker 
node IAM role must contain the following IAM policy permissions for Amazon ECR.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}
```

Best,

Didier

AWS ECR Access Denied Error: Troubleshooting 'ecr:GetAuthorizationToken' Issue in EKS

관련 콘텐츠