By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

I cant access all my private repositories in my ECR

0

I just have to login today and i found out that i couldnt find all my private repositories i have in the ECR I cant even create new repos as well, Please what can i do ? Thanks

ECR

Topics
Containers
Tags
Amazon Elastic Container Registry (ECR)Amazon Elastic Container ServiceContainers
Language
English
Leyksnal
asked 15 days ago184 views
2 Answers
1
Accepted Answer

Hi,

Could you please confirm whether the account in use is a management or member account?

Based on the provided screenshot, it seems that you've logged in as a Root user into the AWS account and actions like ecr:GetRegistryScanningConfiguration, ecr:DescribeRepositories are blocked by Service control policies (SCPs). Service Control Policies (SCPs) is a form of organizational policy employed to manage permissions within the management account of your organization. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles for the member accounts in your organization.

Primarily, It's recommend that you don't use the root user for your everyday tasks. [1] probably the SCP is blocking you from performing the actions using the root user. I would strongly suggest creating an IAM user specifically for executing actions within the AWS account.. [2] also check your management account for the SCPs [3]

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console 3.https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#create-an-scp
profile picture
Sivaraman Selvam
answered 15 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 12 days ago
profile pictureAWS
EXPERT
secondabhi_aws
reviewed 15 days ago
  • Leyksnal
    15 days ago

    Thanks Siveraman This was really helpful and i have figured it out already

0

The errors indicate that there are explicit deny statements in the SCPs that are preventing the IAM role or user from performing the ecr:GetRegistryScanningConfiguration and ecr:DescribeRepositories actions on the specified resources.

Error: Not authorized to perform ecr:GetRegistryScanningConfiguration on resource "*" with explicit deny on in Service Control Policy

This error suggests that there is an SCP in your AWS Organization that explicitly denies the ecr:GetRegistryScanningConfiguration permission for all ECR resources ("*").

Error: Not authorized to perform ecr:DescribeRepositories on resource " " with explicit deny on in Service Control Policy

Navigate to the AWS Organizations service in the AWS Management Console. Go to the "Policies" section and review the SCPs applied to your organization or the OU containing your account. Look for SCPs that have explicit deny statements related to the ecr:GetRegistryScanningConfiguration and ecr:DescribeRepositories permissions. Modify or Remove the Explicit Deny Statements: After modification your SCP policy will somewhat look like below

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetRegistryScanningConfiguration", "ecr:DescribeRepositories" ], "Resource": "*" } ] }

If you don't have the necessary permissions to modify the SCPs directly, you'll need to follow your organization's process for requesting SCP changes.

Provide the details of the required changes, including the specific deny statements that need to be removed or modified, and the justification for the changes.

AWS
rePost-User-4975793
answered 13 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content