AWS ECR Access Denied Error: Troubleshooting 'ecr:GetAuthorizationToken' Issue in EKS

0

I encountered an issue with AWS ECR where I'm getting an "ecr:GetAuthorizationToken" access denied error.

I've created a service account on my EKS and attached a role with full access to ECR. The policy attached to the role includes the "ecr:GetAuthorizationToken" action.

Here's the format of my IAM role's trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{ACC-ID}:oidc-provider/{OIDC URL}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "{OIDC URL}:sub": "system:serviceaccount:{NAMESPACE}:{SA-NAME}"
                }
            }
        }
    ]
}

However, when attempting to sign in to ECR from a pod, I'm encountering the following error:

Error: An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::{ACC-ID}:assumed-role/ecr-sa/botocore-session-1706359714 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action Access denied

What could be causing this issue, and how can I resolve it?

1개 답변
2
수락된 답변

Hi,

Your issue is probably not in the trust policy for the role but in the authorizations given to this role.

Have a look at https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html

You can use your Amazon ECR images with Amazon EKS, but you need to satisfy 
the following prerequisites.

For Amazon EKS workloads hosted on managed or self-managed nodes, the Amazon 
EKS worker node IAM role (NodeInstanceRole) is required. The Amazon EKS worker 
node IAM role must contain the following IAM policy permissions for Amazon ECR.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}

Best,

Didier

profile pictureAWS
전문가
답변함 4달 전
profile picture
전문가
검토됨 2달 전
profile picture
전문가
검토됨 4달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠