2

first time, long time!

Getting this error:

An error occurred (InternalFailure) when calling the GetAuthorizationToken operation (reached max retries: 2):

When running:

aws ecr-public get-login-password --region us-west-2 --profile <IAM user profile>

IAM user has this policy attached (this was made extremely permissive out of frustration ;) ):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr-public:*",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "ecr:*",
            "Resource": "*"
        }
    ]
}

And a role with the trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowIamUserAssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<ARN of IAM user>"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "AllowPassSessionTags",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<ARN of IAM user>"
      },
      "Action": "sts:TagSession"
    }
  ]
}

The role has "AmazonEC2ContainerRegistryFullAccess" and "AmazonElasticContainerRegistryPublicFullAccess" policies attached.

What am I doing wrong here?

Kushan Gunasekera
  • 7,268
  • 6
  • 44
  • 58
Jibbery
  • 31
  • 3
  • The user would not need ECR permissions, since the AWS CLI would be assuming the IAM Role. The IAM Role would need those permissions. However, that doesn't seem to be the cause of this problem. I wonder if you could test things by logging into the AWS management console as that user, then using **Switch Role** to confirm that they have permissions to Assume the IAM Role? – John Rotenstein Jul 25 '21 at 23:58
  • I was able to switch roles in the console GUI. – Jibbery Jul 26 '21 at 00:07
  • Bah, is this one of those things that can only work in one region? Things seem quite happy if I am in `us-east-1`. – Jibbery Jul 26 '21 at 00:31
  • Great! That means the permissions are setup correctly to allow that IAM User to assume that IAM Role. I'm not sure what would be causing your error. Can you show us the AWS CLI `config` file (_not_ the `credentials` file) that is configured to assume the role? Do you particularly _need_ the user to assume the IAM Role, or would you be willing to let them call ECR directly? – John Rotenstein Jul 26 '21 at 00:33
  • Oh, it's working in one region, but not another? That seems very strange. – John Rotenstein Jul 26 '21 at 00:47
  • I would guess this is a "global" resource. You would think this would work in any region... but I'll take the W and move on. Thank you so much for help! – Jibbery Jul 26 '21 at 15:34

1 Answers1

1

Running aws ecr-public get-login-password --region us-east-1 --profile <IAM user profile> worked. Hopefully this will save someone some pain in the future.

Jibbery
  • 31
  • 3