# general


02/22/2024, 11:59 AM
Hey friends! Can anyone give me some pointers on this weird ECR/IAM permissions issue? I'm seeing this error message only when updating an existing stack (i.e. not when I create it from scratch).
Copy code
cacheFrom image <snip> not available: Error pulling cached image <snip> Error response from daemon: pull access denied for <snip>, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::<snip>:user/BedeKelly is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-2:<snip>:repository/dev-scheduled-task-runner-5dbfe00 with an explicit deny in an identity-based policy
Curiously, a workaround seems to be just changing my repository name -- so it's deleted and recreated. It seems like an IAM permissions problem, but when I run this command I see the output (and no permissions errors!):
aws ecr batch-get-image --repository-name dev-scheduled-task-runner-5dbfe00 --image-ids imageTag=latest
Here's my Pulumi typescript for the repository and docker image:
Copy code
// Create an ECR repository for storing versions of our task-runner container.
const scheduledTaskRunnerRepository = new aws.ecr.Repository(`${stackName}-scheduled-task-runner`, {
    forceDelete: true

const authToken = aws.ecr.getAuthorizationTokenOutput({
    registryId: scheduledTaskRunnerRepository.registryId

// Build and push the docker image which can run tasks.
const image = new docker.Image(`${stackName}-scheduled-task-runner-image`, {
    build: {
        context: '../..',
        dockerfile: '../task-runner/Dockerfile',
        platform: 'linux/amd64',
        cacheFrom: {
            images: [pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`]
    imageName: pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`,
    registry: {
        username: 'AWS',
        password: pulumi.secret(authToken.apply(token => token.password)),
        server: scheduledTaskRunnerRepository.repositoryUrl


02/22/2024, 9:35 PM
How do you source creds in both examples? Does aws cli configs have default profile?
Is it the same what pulumi using?


02/23/2024, 1:56 AM
Yeah, both using the same credentials. There's a single
profile in
created using
aws configure
Solved this, for any future searchers! My company had a policy which required MFA, but had an exclusion for when an API call was made via an Amazon service. That meant my
aws ecr
command worked without MFA, but my
docker push
failed. I had to log in using
and use a code from my MFA device, swapping out my old access key in my config for the new temporary one AWS had generated. After that,
docker push
worked fine!