https://pulumi.com
Join Slack
Hey friends! Can anyone give me some pointers on this weird ECR/IAM permissions issue? I'm seeing th...
# general
h
Hey friends! Can anyone give me some pointers on this weird ECR/IAM permissions issue? I'm seeing this error message only when updating an existing stack (i.e. not when I create it from scratch).
Copy code
cacheFrom image <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00:latest not available: Error pulling cached image <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00:latest: Error response from daemon: pull access denied for <snip>.dkr.ecr.eu-west-2.amazonaws.com/dev-scheduled-task-runner-5dbfe00, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::<snip>:user/BedeKelly is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-2:<snip>:repository/dev-scheduled-task-runner-5dbfe00 with an explicit deny in an identity-based policy
Curiously, a workaround seems to be just changing my repository name -- so it's deleted and recreated. It seems like an IAM permissions problem, but when I run this command I see the output (and no permissions errors!): 
aws ecr batch-get-image --repository-name dev-scheduled-task-runner-5dbfe00 --image-ids imageTag=latest
Here's my Pulumi typescript for the repository and docker image:
Copy code
// Create an ECR repository for storing versions of our task-runner container.
const scheduledTaskRunnerRepository = new aws.ecr.Repository(`${stackName}-scheduled-task-runner`, {
    forceDelete: true
});

const authToken = aws.ecr.getAuthorizationTokenOutput({
    registryId: scheduledTaskRunnerRepository.registryId
});

// Build and push the docker image which can run tasks.
const image = new docker.Image(`${stackName}-scheduled-task-runner-image`, {
    build: {
        context: '../..',
        dockerfile: '../task-runner/Dockerfile',
        platform: 'linux/amd64',
        cacheFrom: {
            images: [pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`]
        }
    },
    imageName: pulumi.interpolate`${scheduledTaskRunnerRepository.repositoryUrl}:latest`,
    registry: {
        username: 'AWS',
        password: pulumi.secret(authToken.apply(token => token.password)),
        server: scheduledTaskRunnerRepository.repositoryUrl
    }
})
d
How do you source creds in both examples? Does aws cli configs have default profile?
Is it the same what pulumi using?
h
Yeah, both using the same credentials. There's a single 
default
profile in 
~/.aws/config
and 
~/.aws/credentials
created using 
aws configure
.
Solved this, for any future searchers! My company had a policy which required MFA, but had an exclusion for when an API call was made via an Amazon service. That meant my 
aws ecr
command worked without MFA, but my 
docker push
failed. I had to log in using 
sts
and use a code from my MFA device, swapping out my old access key in my config for the new temporary one AWS had generated. After that, 
docker push
worked fine!
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by