Despite having full permission policy, user gets blocked when pushing to Registry with:
User is not authorized to perform: ecr:InitiateLayerUpload
Permissions:
User has (managed) AmazonEC2ContainerRegistryFullAccess policy directly attached
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"replication.ecr.amazonaws.com"
]
}
}
}
]
}
Registry has this policy in place:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account>:user/<user>"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
When attempting to push:
$ docker push <account>.dkr.ecr.us-east-2.amazonaws.com/myapp:latest
I get this response:
The push refers to repository [<account>.dkr.ecr.us-east-2.amazonaws.com/myapp]
e2eb06d8af82: Preparing
denied: User: arn:aws:iam::<account>:user/<user> is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-2:<account>:repository/myapp with an explicit deny
Edited by: ecruser on Sep 9, 2021 9:47 AM
