Questions tagged with AWS Account Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS ECR allow roles from secondary account

I have an ECR in a prod account that I want to grant push access to from the dev role. This is my current policy ```json { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account:role/rolename", "arn:aws:sts::account:assumed-role/rolename/instance", "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" ] }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:PutLifecyclePolicy", "ecr:SetRepositoryPolicy", "ecr:StartLifecyclePolicyPreview", "ecr:UploadLayerPart" ] } ] } ``` Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push. I receive the following until timeout. > The push refers to repository > [] 87e2ce75493a: Retrying > in 4 seconds My non-prod account does exist in us-east-1. but my login command specifies west. task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin Any ideas what may be my problem on this repo? (this works with my production account so the registry is valid) Also this works when I use my dev account and allow the user IAM
asked 2 months ago