By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

400 Error when invoking DescribeImages via cross-account role assumption

0

I have an application in Account X that is trying to call ecr:DescribeImages using the golang SDK in AccountY. Here is the code I use:

	sess, err := session.NewSession(&aws.Config{
		Region: aws.String(region),
	})
	if err != nil {
		return nil, errors.Wrap(err, "unable to create AWS session")
	}
        
	if roleToAssume != "" {
		creds := stscreds.NewCredentials(sess, "arn:aws:iam::<Y>:my-role/my-application")
		sess, err = session.NewSession(&aws.Config{
			Region:      aws.String(region),
			Credentials: creds,
		})
		if err != nil {
			return nil, errors.Wrap(err, "unable to create AWS session with assumed role")
		}
	}

	client := ecr.New(sess)
        ...
	out, err := client.DescribeImages(&ecr.DescribeImagesInput{
		RegistryId:     "Y",
		RepositoryName: "my_repository",
		ImageIds: []*ecr.ImageIdentifier{
			{
				ImageTag: "my_tag",
			},
		},
	})

This code appears to work correctly when roleToAssume is empty (i.e. when DescribeImage is called using the credentials in the chain), but I get a 400 error from DescribeImages when roleToAssume is set to arn:aws:iam::<Y>:role/my-application:

4:05PM ERR Application failed error="Unhandled error when calling DescribeImages on <Y>.dkr.ecr.us-east-1.amazonaws.com/my_repository:my_tag: ValidationError: 'arn:aws:iam::<Y>:my-role/my-application' is invalid\n\tstatus code: 400, request id: 3593a012-c272-4e6f-9c3a-13cc1c4034b6"

From a permissions perspective, everything I would expect to be required is in place:

  • There is an IAM policy in X allowing the chain-provided user AssumeRole for arn:aws:iam::<Y>:my-role/my-application
  • There is an IAM trust policy in Y allowing the chain-provided user to assume arn:aws:iam::<Y>:my-role/my-application.
  • There is an IAM policy in Y allowing arn:aws:iam::<Y>:my-role/my-application to call ecr:DescribeImages on *.

Could you help me investigate why I am getting a ValidationError from DescribeImages? If anything, I would expect a failure in the NewSession call because of missing AssumeRole policies.

Topics
ContainersSecurity, Identity, & Compliance
Tags
Amazon Elastic Container Registry (ECR)IAM Policies
Language
English
Derek Brown
asked 2 months ago131 views
1 Answer
1

Hello,

Warm Greetings from AWS Premium Support. I hope you're doing well.

Thank you for reaching out to us with your concern.Firstly, Thanks for explaining your usecase. From the casenotes, I can see that you have performed all the required steps for cross account scenario , however to check whether those permission are sufficient I need to check your role's permission. Hence I would request you to reach out support by logging support ticket. Then, we can use our internal tool to check the role's permission.

I hope this information was of value to you and I was able to address your queries effectively. In case you have any follow up questions or any other concerns with regards to the information shared above, please feel free to write back to me, it would my pleasure to assist you further and ushering your issue towards resolution.

Thank you for your utmost patience and understanding. Have a nice day and stay safe! 😊

Reference:

https://repost.aws/knowledge-center/cross-account-access-iam

AWS
rePost-User-6294732
answered 2 months ago
profile picture
EXPERT
Osvaldo Marte
reviewed 2 months ago

Relevant content