AWS CodeBuild GetAuthorizationToken failed

Question

I'm trying to build my testing project, but everytime It failed in pre_build. I check the error log and it says:

[Container] 2017/03/26 19:28:21 An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::074181202020:assumed-role/codebuild-Testing-project-service-role/AWSCodeBuild is not authorized to perform: ecr:GetAuthorizationToken on resource: *

I have tried to attach the following policies:

• IAMSelfManageServiceSpecificCredentials
• IAMFullAccess
• AmazonS3ReadOnlyAccess
• CodeBuildPolicy-Testing-project-1490555003058
• IAMReadOnlyAccess
• AWSCodeBuildAdminAccess
• IAMUserSSHKeys
• AWSCodeCommitFullAccess
• IAMFullAccess
• AmazonS3FullAccess
• AdministratorAccess
• AWSElasticBeanstalkFullAccess
• AWSCodePipelineFullAccess
• WSCodeBuildAdminAccess

But it still giving me the same error

Any help would be appreciated! Thanks!

Answer 1

I follow this guideline https://www.stacksimplify.com/aws-eks/aws-devops-eks/learn-to-master-devops-on-aws-eks-using-aws-codecommit-codebuild-codepipeline/#step-08-review-the-buildspecyml-for-codebuild-environment-variables

Also noted that, the AWS will create two roles (Code Pipelines role and Code Build role). You need to add the policy AmazonEC2ContainerRegistryFullAccess to the code build role. The name of the codebuild role will be : codebuild-<codebuild_project>-service-role, Do not add the above policy to the AWSCodePipelineServiceRole--.

Answer 2

When you configure AWS Codebuild it creates service-role and attaches the default policies there to write logs and put files to S3 bucket. In order, the CodeBuild underlying instance to have access to ECR you should attach policy to that service -role.

There are managed policies that you can use e.g:

AmazonEC2ContainerRegistryFullAccess

For more information:

https://aws.amazon.com/blogs/devops/build-a-continuous-delivery-pipeline-for-your-container-images-with-amazon-ecr-as-source/

Answer 3

Here's my policy to manage ECR. Then, I attach it to the user I want to allow access to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy",
                "ecr:GetAuthorizationToken"
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage"
            ]
        }
    ]
}

Answer 4

Actually the getAuthorizationToken error can't be solved inside ECR (As you won't even see ecr:getAuthorizationToken there).

You need to go to the IAM panel => Roles => CodeBuild Role => Grant Policy => AmazonEC2ContainerRegistryReadOnly

That enables it to get a token

Answer 5

You need to add permissions to the ECR repository policy, not to the CodeBuild service role. This page has a sample for the repo policy: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html