- Newest
- Most votes
- Most comments
Hi,
Could you please confirm whether the account in use is a management or member account?
Based on the provided screenshot, it seems that you've logged in as a Root user into the AWS account and actions like ecr:GetRegistryScanningConfiguration, ecr:DescribeRepositories are blocked by Service control policies (SCPs). Service Control Policies (SCPs) is a form of organizational policy employed to manage permissions within the management account of your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles for the member accounts in your organization.
Primarily, It's recommend that you don't use the root user for your everyday tasks. [1] probably the SCP is blocking you from performing the actions using the root user. I would strongly suggest creating an IAM user specifically for executing actions within the AWS account.. [2] also check your management account for the SCPs [3]
The errors indicate that there are explicit deny statements in the SCPs that are preventing the IAM role or user from performing the ecr:GetRegistryScanningConfiguration and ecr:DescribeRepositories actions on the specified resources.
Error: Not authorized to perform ecr:GetRegistryScanningConfiguration on resource "*" with explicit deny on in Service Control Policy
This error suggests that there is an SCP in your AWS Organization that explicitly denies the ecr:GetRegistryScanningConfiguration permission for all ECR resources ("*").
Error: Not authorized to perform ecr:DescribeRepositories on resource " " with explicit deny on in Service Control Policy
Navigate to the AWS Organizations service in the AWS Management Console. Go to the "Policies" section and review the SCPs applied to your organization or the OU containing your account. Look for SCPs that have explicit deny statements related to the ecr:GetRegistryScanningConfiguration and ecr:DescribeRepositories permissions. Modify or Remove the Explicit Deny Statements: After modification your SCP policy will somewhat look like below
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetRegistryScanningConfiguration", "ecr:DescribeRepositories" ], "Resource": "*" } ] }
If you don't have the necessary permissions to modify the SCPs directly, you'll need to follow your organization's process for requesting SCP changes.
Provide the details of the required changes, including the specific deny statements that need to be removed or modified, and the justification for the changes.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thanks Siveraman This was really helpful and i have figured it out already