An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation in my Codebuild

I still get the error below in my code build even after doing the necessary Permissioning

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::730335391382:assumed-role/pacctsmainToolChainRole/AWSCodeBuild-1d4aff0f-e158-44c2-9fee-5de4fb18bb9f is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action

Below is my Setup

My Setup Below

I also used this ECR Policy to set this up

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCrossAccountPush",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:root"
            },
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
                "ecr:GetAuthorizationToken"
            ]
        }
    ]
}

  CodeBuildProject:
    Type: AWS::CodeBuild::Project
    DeletionPolicy: Delete
    DependsOn: [ToolingRole]
    Properties:
      Name: !Sub 'CodeBuildProject'
      Description: !Sub AWS CodeBuildProject
      ServiceRole: !Ref ToolingRole
..................

  ToolingRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    DependsOn: [CrossDeploymentRole]
    Properties:
      RoleName: !Sub '${AppID}ToolingRole' #[--${AWS::Region}]
      Description: Creating ToolingRole in IAM for the CodePipeline
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Principal:
            Service:
            - codebuild.amazonaws.com
            - codedeploy.amazonaws.com
            - codepipeline.amazonaws.com
            - elasticbeanstalk.amazonaws.com
            - events.amazonaws.com
      Path: /
      Policies:
      - PolicyName: ToolChainWorkerPolicy
        PolicyDocument:
          Statement:
          # Statement:  [Allow ToolingRole to perform actions on specified resources]
          - Action:
            - "*"
            Effect: Allow
            Resource:
            - Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
            - Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
            - Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
            - Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
            - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
            - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
          # Statement: [Allow ToolChainRole to assume CrossDeploymentRole]
          - Effect: Allow
            Action: sts:AssumeRole
            Resource: !GetAtt CrossDeploymentRole.Arn
          # Statement:  []
          - Effect: Allow
            Resource:
            - !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
            - !GetAtt CrossDeploymentRole.Arn 
            Action: ["iam:PassRole"]
          # Statement:  [Allow ToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
          - Effect: Allow
            Resource: "*"
            Action:
            - cloudtrail:CreateTrail
            - cloudtrail:StartLogging
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogGroups
            - logs:PutLogEvents

  CrossDeploymentRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      RoleName: !Sub 'CrossDeploymentRole'
      Description: '...'
      AssumeRolePolicyDocument:
        Statement:
        # Statement:  [Allows the only following services to assume the IAM role.] 
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com]
      Path: /
      #Note: (Policies Property Must be of type List)
      Policies:
      - PolicyName: !Sub 'CrossDeploymentRolePolicy'
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          # Statement:  []
          - Effect: Allow
            Action: sts:AssumeRole
            Resource:
            - !Sub arn:aws:iam::${AccountA}:role/DeploymentRole
            - !Sub arn:aws:iam::${AccountB}:role/DeploymentRole
            - !Sub arn:aws:iam::${AccountC}:role/DeploymentRole

Notes: Same DeploymentRole for(AccountA, AccountB, AccountC)

  DeploymentRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    Properties:
      RoleName: !Sub 'DeploymentRole'
      AssumeRolePolicyDocument:
        Statement:
        - Action: sts:AssumeRole
          Effect: Allow
          Principal:
            Service: [cloudformation.amazonaws.com, codepipeline.amazonaws.com, codebuild.amazonaws.com]
            AWS: !Sub "arn:aws:iam::${AccountA}:role/$CrossDeploymentRole"
      Path: /
      Policies:
      - PolicyName: !Sub 'DeploymentRolePolicy'
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
          - Effect: Allow
            Sid: ECRActions
            Resource: '*'
            Action: ['ecr:*']

Topics

Developer Tools Containers DevOps

Tags

AWS CodeBuild AWS CodePipeline Amazon Elastic Container Registry (ECR)DevOps

Language

English

Nafiu

asked 7 days ago280 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

Hello.

Judging from the content of the error, I thought that adding "ecr:GetAuthorizationToken" to the IAM policy "ToolChainWorkerPolicy" would solve the problem.

  ToolingRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Delete
    DependsOn: [CrossDeploymentRole]
    Properties:
      RoleName: !Sub '${AppID}ToolingRole' #[--${AWS::Region}]
      Description: Creating ToolingRole in IAM for the CodePipeline
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Action: sts:AssumeRole
          Principal:
            Service:
            - codebuild.amazonaws.com
            - codedeploy.amazonaws.com
            - codepipeline.amazonaws.com
            - elasticbeanstalk.amazonaws.com
            - events.amazonaws.com
      Path: /
      Policies:
      - PolicyName: ToolChainWorkerPolicy
        PolicyDocument:
          Statement:
          # Statement:  [Allow ToolingRole to perform actions on specified resources]
          - Action:
            - "*"
            Effect: Allow
            Resource:
            - Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
            - Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
            - Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
            - Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
            - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
            - Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
          # Statement: [Allow ToolChainRole to assume CrossDeploymentRole]
          - Effect: Allow
            Action: sts:AssumeRole
            Resource: !GetAtt CrossDeploymentRole.Arn
          # Statement:  []
          - Effect: Allow
            Resource:
            - !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
            - !GetAtt CrossDeploymentRole.Arn 
            Action: ["iam:PassRole"]
          # Statement:  [Allow ToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
          - Effect: Allow
            Resource: "*"
            Action:
            - cloudtrail:CreateTrail
            - cloudtrail:StartLogging
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogGroups
            - logs:PutLogEvents
            - ecr:GetAuthorizationToken # Add

EXPERT

Riku_Kobayashi

answered 7 days ago

EXPERT

Oleksii Bebych

reviewed 7 days ago

EXPERT

Giovanni Lauria

reviewed 7 days ago

Nafiu
7 days ago
Hello Riku,

I have already added ecr:GetAuthorizationToken and ecr:* in my (DeploymentRole[Which is in every Account in my Multi Account Deployment]) which CrossDeploymentRole Assumes and the ToolingRole Assumes

Effect: Allow Action: sts:AssumeRole Resource: !GetAtt CrossDeploymentRole.Arn

Please would really appreciate your help toward solving this. Thanks
Riku_Kobayashi EXPERT
7 days ago
understood. It means that you are trying to access ECR of another account from CodeBuild. I think the error is probably because the IAM role was not switched when executing "get-login-password". Please select the profile when executing "get-login-password" in buildspec.yml. Please also upload a file called "aws-config" to your Git repository along with buildspec.yml. I think you can change the IAM role by using the "aws-config" file and switching the profile when executing the "get-login-password" command.

buildspec.yml

aws --profile B ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${REPOSITORY_HOST}

aws-config

[default] region=ap-northeast-1 output=json [profile B] role_arn=arn:aws:iam::<Account B>:role/DeploymentRole credential_source = EcsContainer
Nafiu
7 days ago
The ECR is in My tooling Account which contains the codebuild and codepipeline While my staging and Production Account will Contain the ECS, Fargate and lAMBDA

but the DeploymentRole is the same in all three account which is why the CrossDeploymentRole Assumes all the whole three role in the 3 Different Account

While the ToolingRole only Assumes the CrossDeploymentRole(-> Which also assumes the DeploymentRole(which all have ecr:* permission) in the 3 Accounts )

pls help thanks
Riku_Kobayashi EXPERT
7 days ago
What ECR is CodeBuild trying to access? I think the error is probably occurring when executing the "get-login-password" command in buildspec.yml, but at this time, I am assuming access to the ECR in which AWS account?
Nafiu
7 days ago
Your are Assuming Access to ECR in the Tooling Account (Which contains the Codebuild and Codepipeline)

This is the code that use to get the ECR_LOGIN_PASSWORD in the code build which give the error(An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation)

ECR_LOGIN_PASSWORD=$(aws ecr get-login-password --region $AWS_DEFAULT_REGION)

Relevant content

AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListTables operation: Team is not associated to an AWS Account
rePost-User-0309502
asked a year ago
An error occurred (AccessDeniedException) when calling the CreateDiskSnapshot operation
dongdongbh
asked 3 months ago
An error occurred (AccessDeniedException) when calling the ListPermissionSets operation
sekhar
asked 2 months ago
Following error when trying to create a Lambda Function: An error occurred (AccessDeniedException) when calling the CreateFunction operation: None
rePost-User-3899323
asked a year ago
How do I troubleshoot the error AccessDeniedException when I access an Amazon DynamoDB table?
AWS OFFICIALUpdated 19 days ago
How do I resolve the error "An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation" in Amazon ECS?
AWS OFFICIALUpdated 2 months ago
How do I resolve the QuickSight error "An error occurred (AccessDeniedException)" when I generate an embedded QuickSight dashboard URL for unregistered users?
AWS OFFICIALUpdated 3 months ago
How do I troubleshoot the InvokeModel API error in Amazon Bedrock?
AWS OFFICIALUpdated 3 months ago
Why do I get an error "The snapshot is currently in use by AMI" when I try to delete an EBS snapshot, even though there is no AMI on the account?
EXPERT
Dnyaneshwar Bhosale DB
published 7 months ago
Unable to access the S3 bucket after the IAM user was recreated
EXPERT
Tyler
published 23 days ago