1 Answer
- Newest
- Most votes
- Most comments
2
Hello.
Judging from the content of the error, I thought that adding "ecr:GetAuthorizationToken" to the IAM policy "ToolChainWorkerPolicy" would solve the problem.
ToolingRole:
Type: AWS::IAM::Role
DeletionPolicy: Delete
DependsOn: [CrossDeploymentRole]
Properties:
RoleName: !Sub '${AppID}ToolingRole' #[--${AWS::Region}]
Description: Creating ToolingRole in IAM for the CodePipeline
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- codebuild.amazonaws.com
- codedeploy.amazonaws.com
- codepipeline.amazonaws.com
- elasticbeanstalk.amazonaws.com
- events.amazonaws.com
Path: /
Policies:
- PolicyName: ToolChainWorkerPolicy
PolicyDocument:
Statement:
# Statement: [Allow ToolingRole to perform actions on specified resources]
- Action:
- "*"
Effect: Allow
Resource:
- Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AppID}/*
- Fn::Sub: arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${AppID}*
- Fn::Sub: arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${RepositoryName}
- Fn::Sub: arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipelineName}
- Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}
- Fn::Sub: arn:${AWS::Partition}:s3:::${CodePipelineS3Bucket}/*
# Statement: [Allow ToolChainRole to assume CrossDeploymentRole]
- Effect: Allow
Action: sts:AssumeRole
Resource: !GetAtt CrossDeploymentRole.Arn
# Statement: []
- Effect: Allow
Resource:
- !GetAtt CodeCommitRepo.Arn #CodeCommit Repo
- !GetAtt CrossDeploymentRole.Arn
Action: ["iam:PassRole"]
# Statement: [Allow ToolChainRole to perform CloudTrail and CloudWatch Logs actions.]
- Effect: Allow
Resource: "*"
Action:
- cloudtrail:CreateTrail
- cloudtrail:StartLogging
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:PutLogEvents
- ecr:GetAuthorizationToken # Add
Relevant content
- AWS OFFICIALUpdated 19 days ago
- AWS OFFICIALUpdated 3 months ago
Hello Riku,
I have already added ecr:GetAuthorizationToken and ecr:* in my (DeploymentRole[Which is in every Account in my Multi Account Deployment]) which CrossDeploymentRole Assumes and the ToolingRole Assumes
Please would really appreciate your help toward solving this. Thanks
understood. It means that you are trying to access ECR of another account from CodeBuild. I think the error is probably because the IAM role was not switched when executing "get-login-password". Please select the profile when executing "get-login-password" in buildspec.yml. Please also upload a file called "aws-config" to your Git repository along with buildspec.yml. I think you can change the IAM role by using the "aws-config" file and switching the profile when executing the "get-login-password" command.
buildspec.yml
aws-config
The ECR is in My tooling Account which contains the codebuild and codepipeline While my staging and Production Account will Contain the ECS, Fargate and lAMBDA
but the DeploymentRole is the same in all three account which is why the CrossDeploymentRole Assumes all the whole three role in the 3 Different Account
While the ToolingRole only Assumes the CrossDeploymentRole(-> Which also assumes the DeploymentRole(which all have ecr:* permission) in the 3 Accounts )
pls help thanks
What ECR is CodeBuild trying to access? I think the error is probably occurring when executing the "get-login-password" command in buildspec.yml, but at this time, I am assuming access to the ECR in which AWS account?
Your are Assuming Access to ECR in the Tooling Account (Which contains the Codebuild and Codepipeline)
This is the code that use to get the ECR_LOGIN_PASSWORD in the code build which give the error(An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation)