AWS ECR Access Denied Error: Troubleshooting 'ecr:GetAuthorizationToken' Issue in EKS

0

I encountered an issue with AWS ECR where I'm getting an "ecr:GetAuthorizationToken" access denied error.

I've created a service account on my EKS and attached a role with full access to ECR. The policy attached to the role includes the "ecr:GetAuthorizationToken" action.

Here's the format of my IAM role's trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::{ACC-ID}:oidc-provider/{OIDC URL}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "{OIDC URL}:sub": "system:serviceaccount:{NAMESPACE}:{SA-NAME}"
                }
            }
        }
    ]
}

However, when attempting to sign in to ECR from a pod, I'm encountering the following error:

Error: An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::{ACC-ID}:assumed-role/ecr-sa/botocore-session-1706359714 is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action Access denied

What could be causing this issue, and how can I resolve it?

1 Answer
2
Accepted Answer

Hi,

Your issue is probably not in the trust policy for the role but in the authorizations given to this role.

Have a look at https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html

You can use your Amazon ECR images with Amazon EKS, but you need to satisfy 
the following prerequisites.

For Amazon EKS workloads hosted on managed or self-managed nodes, the Amazon 
EKS worker node IAM role (NodeInstanceRole) is required. The Amazon EKS worker 
node IAM role must contain the following IAM policy permissions for Amazon ECR.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}

Best,

Didier

profile pictureAWS
EXPERT
answered 4 months ago
profile picture
EXPERT
reviewed 2 months ago
profile picture
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions