skip to Main Content

I am trying to push a docker image to AWS ECR. I am using my root user (I know that it’s not recommended).

I created an access key/secret in my local machine. Then I used this command to push it (copied from ECR):

sudo aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin xxxxxx.xxxxxx.ecr.us-east-1.amazonaws.com

But I keep getting this error!

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::5555555555555:assumed-role/AmazonEC2RunCommandRoleForManagedInstances/mi-08d61ab572732fec4 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action

I’ve seen similar posts saying that it’s because of the 2FA. I deactivated it, but nothing changed.

2

Answers


  1. Chosen as BEST ANSWER

    I problem was due to the SUDO command. I just changed the permission of the docker file like:

    sudo chmod 666 /var/run/docker.sock
    

    And everything started working.


  2. The error clue is in the error message: an AWS role with name AmazonEC2RunCommandRoleForManagedInstances does not have ecr:GetAuthorizationToken permissions. Your user permissions do not come into play – you mentioned disabling 2fa, you can enable that again – it is the machine you are on that’s automatically supplying AWS credentials to AWS cli, via the medium of IAM role. You have a number of options:

    1. Attach an inline or customer managed IAM policy granting AmazonEC2RunCommandRoleForManagedInstances role explicit ecr:GetAuthorizationToken rights; you would have to create this policy yourself
    2. Attach one of the AWS managed policies, ie AmazonEC2ContainerRegistryPowerUser would work. Caveat: all other machines using AmazonEC2ContainerRegistryPowerUser IAM role will get the same rights. You can mitigate that by creating a custom role for mi-08d61ab572732fec4 and granting that new role the new rights
    3. If you want to use your own credentials, then set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY environment variables in the shell of your machine , see these instructions

    One of these 3 options should do as they involve little administrative effort, though there are others.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search