Following this tutorial on AWS:
https://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html#sample-docker-running
It keeps failing for me at this like:
- aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
Gives me this error everytime:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::######:assumed-role/NetworkingStack-FargateBuildProjectRole/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
Error: Cannot perform an interactive login from a non TTY device
Any help would be appreciated.
For more context I'm using the CDK to setup this pipeline and here are the roles I've added to the pipeline:
role: new Role(scope, `${name}PipelineRole`, {
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName(
"AmazonEC2ContainerRegistryFullAccess",
),
],
assumedBy: new CompositePrincipal(
new ServicePrincipal("codebuild.amazonaws.com"),
new ServicePrincipal("codepipeline.amazonaws.com"),
),
inlinePolicies: {
EcrPushPolicy: new PolicyDocument({
statements: [
new PolicyStatement({
actions: [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
],
resources: [repository.repositoryArn],
}),
new PolicyStatement({
actions: ["ecr:GetAuthorizationToken"],
resources: ["*"],
}),
],
}),
},
}),
There is probably some overlap here between the policies but I'm just throwing everything at it and still not working.
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::######:assumed-role/NetworkingStack-FargateBuildProjectRole/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
This error is pretty self-explanatory - you need to add the following permisions to your role to allow it to authenticate with ECR:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ecr:GetAuthorizationToken",
"Resource": "*",
"Effect": "Allow"
}
]
}
Error: Cannot perform an interactive login from a non TTY device
Because the first command in your pipeline is erroring and not writing anything to stdout, the docker
command is trying to perform an interactive login but can't because it doesn't have interactive terminal. Adding the correct permissions above will make the first command work and this error will go away.