Hey friends Can anyone give me some pointers on this weird E Pulumi Community #general

Hey friends! Can anyone give me some pointers on t...

handsome-beach-10517

02/22/2024, 11:59 AM

Hey friends! Can anyone give me some pointers on this weird ECR/IAM permissions issue? I'm seeing this error message only when updating an existing stack (i.e. not when I create it from scratch).

Copy code

cacheFrom image <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00:latest not available: Error pulling cached image <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00:latest: Error response from daemon: pull access denied for <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::<snip>:user/BedeKelly is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-2:<snip>:repository/dev-scheduled-task-runner-5dbfe00 with an explicit deny in an identity-based policy

Curiously, a workaround seems to be just changing my repository name -- so it's deleted and recreated. It seems like an IAM permissions problem, but when I run this command I see the output (and no permissions errors!):

aws ecr batch-get-image --repository-name dev-scheduled-task-runner-5dbfe00 --image-ids imageTag=latest

Here's my Pulumi typescript for the repository and docker image:

Copy code

// Create an ECR repository for storing versions of our task-runner container.
const scheduledTaskRunnerRepository = new aws.ecr.Repository(`${stackName}-scheduled-task-runner`, {
    forceDelete: true
});

const authToken = aws.ecr.getAuthorizationTokenOutput({
    registryId: scheduledTaskRunnerRepository.registryId
});

// Build and push the docker image which can run tasks.
const image = new docker.Image(`${stackName}-scheduled-task-runner-image`, {
    build: {
        context: '../..',
        dockerfile: '../task-runner/Dockerfile',
        platform: 'linux/amd64',
        cacheFrom: {
            images: [pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`]
        }
    },
    imageName: pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`,
    registry: {
        username: 'AWS',
        password: pulumi.secret(authToken.apply(token => token.password)),
        server: scheduledTaskRunnerRepository.repositoryUrl
    }
})

dry-potato-52542

02/22/2024, 9:35 PM

How do you source creds in both examples? Does aws cli configs have default profile?

dry-potato-52542

02/22/2024, 9:35 PM

Is it the same what pulumi using?

handsome-beach-10517

02/23/2024, 1:56 AM

Yeah, both using the same credentials. There's a single

default

profile in

~/.aws/config

and

~/.aws/credentials

created using

aws configure

handsome-beach-10517

03/01/2024, 3:52 PM

Solved this, for any future searchers! My company had a policy which required MFA, but had an exclusion for when an API call was made via an Amazon service. That meant my

aws ecr

command worked without MFA, but my

docker push

failed. I had to log in using

sts

and use a code from my MFA device, swapping out my old access key in my config for the new temporary one AWS had generated. After that,

docker push

worked fine!

Open in Slack

Previous Next