I have an ECR in a prod account that I want to grant push access to from the dev role.
This is my current policy
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account:role/rolename",
"arn:aws:sts::account:assumed-role/rolename/instance",
"arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:SetRepositoryPolicy",
"ecr:StartLifecyclePolicyPreview",
"ecr:UploadLayerPart"
]
}
]
}
Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push.
I receive the following until timeout.
The push refers to repository
[account.dkr.ecr.us-west-2.amazonaws.com/repo] 87e2ce75493a: Retrying
in 4 seconds
My non-prod account does exist in us-east-1. but my login command specifies west.
task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin accpunt.dkr.ecr.us-west-2.amazonaws.com
Any ideas what may be my problem on this repo?
(this works with my production account so the registry is valid)
Also this works when I use my dev account and allow the user IAM