I am trying to have CodeBuild in account A pushing an image to a ECR of account B, but I am getting permissions issue.
I have the following policy in account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*"
],
"Effect": "Allow",
"Resource": "*"
}]}
And a role ecrManager in account B with such policy attached, and following trusted relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountA:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}]}
I have then in account A the role used by CodeBuild with following policy:
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::accountB:role/ecrManager"
},
But when I run code Build, I get the following error in CloudTrail:
"errorMessage": "User: arn:aws:sts::accountA:assumed-role/CodeBuild-CodeBuildServiceRole-1RHFVAD5WW6J4/AWSCodeBuild-b7487523-7e3a-4219-bee7-08e6e40a3f21 is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:ca-central-1:accountB:repository/demo because no resource-based policy allows the ecr:InitiateLayerUpload action"
What did I do wrong here?
Thank you!
2
Answers
So the problem was that I was not assuming the role in the code build script. This AWS tutorial explain nicely how it should have been done:
https://aws.amazon.com/premiumsupport/knowledge-center/codebuild-temporary-credentials-docker/
The resource based policy need to be updated
from
to
here is a blog on how to create cross account access role
https://dev.to/kasukur/how-to-delegate-access-across-aws-accounts-using-iam-roles-43ej
Could you please try this and let me know if it doesn’t work.