I am trying to push a docker image to AWS ECR. I am using my root user (I know that it’s not recommended).
I created an access key/secret in my local machine. Then I used this command to push it (copied from ECR):
sudo aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin xxxxxx.xxxxxx.ecr.us-east-1.amazonaws.com
But I keep getting this error!
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::5555555555555:assumed-role/AmazonEC2RunCommandRoleForManagedInstances/mi-08d61ab572732fec4 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
I’ve seen similar posts saying that it’s because of the 2FA. I deactivated it, but nothing changed.
2
Answers
I problem was due to the SUDO command. I just changed the permission of the docker file like:
And everything started working.
The error clue is in the error message: an AWS role with name
AmazonEC2RunCommandRoleForManagedInstances
does not haveecr:GetAuthorizationToken
permissions. Your user permissions do not come into play – you mentioned disabling 2fa, you can enable that again – it is the machine you are on that’s automatically supplying AWS credentials to AWS cli, via the medium of IAM role. You have a number of options:AmazonEC2RunCommandRoleForManagedInstances
role explicitecr:GetAuthorizationToken
rights; you would have to create this policy yourselfAmazonEC2ContainerRegistryPowerUser
would work. Caveat: all other machines usingAmazonEC2ContainerRegistryPowerUser
IAM role will get the same rights. You can mitigate that by creating a custom role formi-08d61ab572732fec4
and granting that new role the new rightsAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
environment variables in the shell of your machine , see these instructionsOne of these 3 options should do as they involve little administrative effort, though there are others.