handsome-beach-10517
02/22/2024, 11:59 AMcacheFrom image <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00:latest not available: Error pulling cached image <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00:latest: Error response from daemon: pull access denied for <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::<snip>:user/BedeKelly is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-2:<snip>:repository/dev-scheduled-task-runner-5dbfe00 with an explicit deny in an identity-based policy
Curiously, a workaround seems to be just changing my repository name -- so it's deleted and recreated.
It seems like an IAM permissions problem, but when I run this command I see the output (and no permissions errors!):
aws ecr batch-get-image --repository-name dev-scheduled-task-runner-5dbfe00 --image-ids imageTag=latest
Here's my Pulumi typescript for the repository and docker image:
// Create an ECR repository for storing versions of our task-runner container.
const scheduledTaskRunnerRepository = new aws.ecr.Repository(`${stackName}-scheduled-task-runner`, {
forceDelete: true
});
const authToken = aws.ecr.getAuthorizationTokenOutput({
registryId: scheduledTaskRunnerRepository.registryId
});
// Build and push the docker image which can run tasks.
const image = new docker.Image(`${stackName}-scheduled-task-runner-image`, {
build: {
context: '../..',
dockerfile: '../task-runner/Dockerfile',
platform: 'linux/amd64',
cacheFrom: {
images: [pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`]
}
},
imageName: pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`,
registry: {
username: 'AWS',
password: pulumi.secret(authToken.apply(token => token.password)),
server: scheduledTaskRunnerRepository.repositoryUrl
}
})
dry-potato-52542
02/22/2024, 9:35 PMdry-potato-52542
02/22/2024, 9:35 PMhandsome-beach-10517
02/23/2024, 1:56 AMdefault
profile in ~/.aws/config
and ~/.aws/credentials
created using aws configure
.handsome-beach-10517
03/01/2024, 3:52 PMaws ecr
command worked without MFA, but my docker push
failed. I had to log in using sts
and use a code from my MFA device, swapping out my old access key in my config for the new temporary one AWS had generated. After that, docker push
worked fine!