ECR Access Issues
Issue - 1
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::211125309326:assumed-role/codebuild-bh-audit-api-ci-pipeline-service-role/AWSCodeBuild-90af0e84-ac09-4a20-9c79-b3d6a7067d4c is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
- Identify the IAM Role:
- Go to the IAM console in your AWS account.
- Locate the IAM role:
codebuild-bh-audit-api-ci-pipeline-service-role.
- Edit the Role’s Policy:
- Edit the attached policy to include permissions for
ecr:GetAuthorizationToken.
- Edit the attached policy to include permissions for
-
Add the Following Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" } ] } - Review and Save:
- After adding the necessary permissions, review the policy to ensure it meets your security requirements, and then save the changes.
By adding the ecr:GetAuthorizationToken permission to the IAM role, your AWS CodeBuild project will be able to authenticate with Amazon ECR and pull Docker images during the build process without encountering the AccessDeniedException error.
Remember to follow the principle of least privilege when assigning permissions, granting only the permissions necessary for the specific actions required by your CodeBuild project.
Issue - 2
denied: User: arn:aws:sts::211125309326:assumed-role/codebuild-bh-audit-api-ci-pipeline-service-role/AWSCodeBuild-367d758e-3bd6-459c-9714-09e884f5702f is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:211125309326:repository/bighammer/bhauditapi because no identity-based policy allows the ecr:InitiateLayerUpload action.
- Identify the IAM Role:
- Go to the IAM console in your AWS account.
- Locate the IAM role:
codebuild-bh-audit-api-ci-pipeline-service-role.
- Edit the Role’s Policy:
- Edit the attached policy to include permissions for
ecr:InitiateLayerUploadon the specified ECR repository.
- Edit the attached policy to include permissions for
- Add the Following Policy: ```json { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: “ecr:InitiateLayerUpload”, “Resource”: “arn:aws:ecr:us-east-1:211125309326:repository/bighammer/bhauditapi” } ] }
Issue - 3
denied: User: arn:aws:sts::211125309326:assumed-role/codebuild-bh-audit-api-ci-pipeline-service-role/AWSCodeBuild-33d92746-1376-43b6-9386-24e7ffca5828 is not authorized to perform: ecr:UploadLayerPart on resource: arn:aws:ecr:us-east-1:211125309326:repository/bhauditapi because no identity-based policy allows the ecr:UploadLayerPart action.
- Identify the IAM Role:
- Go to the IAM console in your AWS account.
- Locate the IAM role:
codebuild-bh-audit-api-ci-pipeline-service-role.
- Edit the Role’s Policy:
- Edit the attached policy to include permissions for
ecr:UploadLayerParton the specific ECR repository.
- Edit the attached policy to include permissions for
-
Add the Following Policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ecr:UploadLayerPart", "Resource": "arn:aws:ecr:us-east-1:211125309326:repository/bhauditapi" } ] }