aws-toolkit-azure-devops icon indicating copy to clipboard operation
aws-toolkit-azure-devops copied to clipboard

Published 20 hours ago verified publisher icon aws

Unable to use ECRPullImage task to pull an image from public AWS ECR repository

Open avolcoff opened this issue 2 years ago • 1 comments

Describe the bug

Unable to use ECRPullImage task to pull an image from public AWS ECR repository

To reproduce

Steps to reproduce the behavior:

  1. use this task definition:
  • task: ECRPullImage@1 displayName: Pull amazon linux 2 image inputs: awsCredentials: 'AWS-ECR-Pull-Image-From-Public-ECR' regionName: ${{ parameters.awsRegion }} repository: 'amazonlinux/amazonlinux' imageSource: 'imagetag'
  1. run an azure pipeline build
  2. get this log error: Starting: Pull base image ============================================================================== Task : Amazon ECR Pull Description : Pull a Docker image from an Amazon Elastic Container Registry on AWS Version : 1.13.0 Author : Amazon Web Services Help : Please refer to Amazon Elastic Container Registry documentation for working with this service.

####Task Permissions This task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):

  • ecr:DescribeRepositories
  • ecr:GetDownloadUrlForLayer
  • ecr:GetAuthorizationToken
  • ecr:BatchGetImage
  • ecr:BatchCheckLayerAvailability ============================================================================== Configuring credentials for task ...configuring AWS credentials from service endpoint '53b42f7f-dc7b-4063-82ff-d870ef6813c1' ...endpoint defines standard access/secret key credentials Configuring region for task ...configured to use region eu-west-1, defined in task. Obtaining authentication token for ECR login ##[error]Error: Failed to obtain authorization token to log in to ECR, error: AccessDeniedException: User: arn:aws:iam::035978952288:user/AzurePipelinePullFromPublicECR is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action Finishing: Pull base image

Expected behavior

should pull the image without errors

Your Environment

  • cloud based: Azure pipeline
  • Azure DevOps version: Version Dev18.M202.1 (AzureDevOps_M202_20220407.8)
  • AWS Toolkit for Azure DevOps version: could not find it

avolcoff avatar Apr 19 '22 09:04 avolcoff

Hey @avolcoff,

You may need to allow your IAM role to access ecr:GetAuthorizationToken. Here's an example statement that gives the role access for all resources:

{
  "Effect": "Allow",
  "Action": "ecr:GetAuthorizationToken",
  "Resource": "*"
}

I believe there is also an AWS-managed policy called AmazonEC2ContainerRegistryReadOnly that could be used.

JadenSimon avatar Apr 19 '22 15:04 JadenSimon