By using AWS re:Post, you agree to the AWS re:Post Terms of Use

aws ecr get-login-password not working when executed from userdata script on EC2 start up

1

I am having problems logging into ECR from Auto Scaling Group EC2 instance during startup from the EC2 userdata script. When aws ecr get-login-password command is executed the following error occurs.

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::123456789012:user/foo is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity- based policy allows the ecr:GetAuthorizationToken action

However, when I ssh into the instance the command works without error.

I have tried logging the results of the following commands in userdata script and after ssh

The above two command outputs are the same as the following.

  • information about the instance profile
  • name of the role of the instance profile

On the other hand the last command differ.

  • from userdata script: information on User: arn:aws:iam::123456789012:user/foo
  • from ssh connection: information about the role of the instance profile

Why does the caller identity differ?

I have checked the following post, but it seems unrelated to my problem. https://repost.aws/questions/QUch74vQWETwui4dFEPqnZBQ/not-able-to-use-iam-role-assigned-to-ec2-instance-at-startup

I have also tried repeatedly executing aws ecr get-login-password until it would work but would only do so indefinitely.

3 Answers
5

Hello,

Did you assign the necessary permissions directly to the EC2 IAM role or are you using a user profile to run AWS CLI commands?

If you haven’t already, you should attach the required permissions directly to the IAM role associated with the EC2 instance. So if you are using Auto Scaling Groups you can attach it to the role in the Launch Template.

Alternatively, I suggest considering ECS, if your goal with ECR is to run a container. ECS can handle containerization and scaling for you much more seamlessly.

Hope this helps! 😊

profile pictureAWS
answered 17 days ago
profile picture
EXPERT
reviewed 17 days ago
  • Thank you for the comment. I assume the necessary permissions are attached to the IAM role because it works when I connect to the instance using ssh. In my experience ECS is not desirable for applications which requires persistent connection. With Auto Scaling Group when a scale in event occurs the termination of the instance can be delayed using lifecycle hooks make sure all connections are drained. But I haven't found a good way to achieve that with ECS.

  • There are multiple ways to assign permissions in AWS, but since you noticed differences with the instance profile, it’s better to use the IAM role attached to the EC2 instance to grant the necessary permissions. Can you confirm that the permissions are attached to your EC2 role? As for ECS, it can integrate with an Auto Scaling Group. If you already have the desired behavior with ASG, you can link it to your ECS cluster. This way, you'll get the benefits of ECS for managing containers while keeping the scaling behavior you're comfortable with.

1

The issue you're experiencing is likely related to how the EC2 instance is obtaining its credentials during the user data script execution versus when you SSH into the instance later.

When your user data script runs during instance startup, it seems that the EC2 instance hasn't fully acquired its IAM role credentials yet. This is why you're seeing the "User: arn:aws:iam::123456789012:user/foo" in the aws sts get-caller-identity output, which appears to be using your personal IAM user credentials instead of the instance profile.

On the other hand, when you SSH into the instance later, the instance has had time to fully acquire its IAM role credentials, which is why the aws ecr get-login-password command works correctly at that point.

To resolve this issue, you can try the following approaches:

  1. Add a delay in your user data script before executing AWS CLI commands. This gives the instance more time to acquire its IAM role credentials. For example, you could add a sleep command for 10-15 seconds before running your AWS CLI commands.

  2. Use the EC2 instance metadata service to explicitly retrieve the temporary credentials for the IAM role. You can do this by querying the instance metadata endpoint for the security credentials. Then use these credentials to set the appropriate environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN) before running your AWS CLI commands.

  3. If possible, consider moving the ECR login process to a separate script that runs after the instance has fully started, rather than in the user data script. You could use a systemd service or a cron job to run this script a short time after the instance has booted.

By implementing one of these approaches, you should be able to ensure that your EC2 instance is using its assigned IAM role credentials when executing AWS CLI commands during startup.
Sources
Run commands when you launch an EC2 instance with user data input - Amazon Elastic Compute Cloud
Before You Begin - AMS Advanced Application Developer's Guide
Before You Begin - AMS Advanced Onboarding Guide
Access instance metadata for an EC2 instance - Amazon Elastic Compute Cloud

profile picture
answered 17 days ago
profile picture
EXPERT
reviewed 17 days ago
0
Accepted Answer

I was doing something stupid. I had to export env vars from a file and didn't care much what kind of variables were exported. It turns out there were aws credentials in env vars. it took me a while to find out but it wasn't by luck. As I was looking for the cause I found a helpful advice in finding my error.

The trick was to call a aws cli command with --debug flag. For example,

aws s3 --debug

Then if you carefully parse through the logs there will appear a section related to finding and obtaining aws credentials for executing the aws cli command. There I found that credentials were being picked up from environment variables.

I hope this helps.

answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions