aws-cdk

AWS CDK Codebuild: GetAuthorizationToken operation denied

Following this tutorial on AWS:

https://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html#sample-docker-running

It keeps failing for me at this like:

- aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com

Gives me this error everytime:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::######:assumed-role/NetworkingStack-FargateBuildProjectRole/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
Error: Cannot perform an interactive login from a non TTY device

Any help would be appreciated.

For more context I'm using the CDK to setup this pipeline and here are the roles I've added to the pipeline:

            role: new Role(scope, `${name}PipelineRole`, {
                managedPolicies: [
                    ManagedPolicy.fromAwsManagedPolicyName(
                        "AmazonEC2ContainerRegistryFullAccess",
                    ),
                ],
                assumedBy: new CompositePrincipal(
                    new ServicePrincipal("codebuild.amazonaws.com"),
                    new ServicePrincipal("codepipeline.amazonaws.com"),
                ),
                inlinePolicies: {
                    EcrPushPolicy: new PolicyDocument({
                        statements: [
                            new PolicyStatement({
                                actions: [
                                    "ecr:BatchCheckLayerAvailability",
                                    "ecr:BatchGetImage",
                                    "ecr:CompleteLayerUpload",
                                    "ecr:GetDownloadUrlForLayer",
                                    "ecr:InitiateLayerUpload",
                                    "ecr:PutImage",
                                    "ecr:UploadLayerPart",
                                ],
                                resources: [repository.repositoryArn],
                            }),
                            new PolicyStatement({
                                actions: ["ecr:GetAuthorizationToken"],
                                resources: ["*"],
                            }),
                        ],
                    }),
                },
            }),

There is probably some overlap here between the policies but I'm just throwing everything at it and still not working.

Solution

  • An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::######:assumed-role/NetworkingStack-FargateBuildProjectRole/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action

    This error is pretty self-explanatory - you need to add the following permisions to your role to allow it to authenticate with ECR:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    Error: Cannot perform an interactive login from a non TTY device

    Because the first command in your pipeline is erroring and not writing anything to stdout, the docker command is trying to perform an interactive login but can't because it doesn't have interactive terminal. Adding the correct permissions above will make the first command work and this error will go away.