Open aoyama-val opened 2 weeks ago
@aoyama-val can you check that the role stored in AWS_IAM_ROLE_ARN
has permissions to push to that ECR repo?
If you have permissions, but it still not working, can you list the permissions associated to that role?
The role has these permissions at least:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:BatchCheckLayerAvailability",
"Resource": [
"arn:aws:ecr:*****"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:BatchGetImage"
],
"Resource": [
"arn:aws:ecr:*****"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
The config was working fine with aws-ecr@8.2.1 + aws-cli@3.1.4, however I faced the issue when tried to upgrade the orbs.
Thanks.
I added Allow All permission to the role, but still push failed with the same error.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Also I changed the auth method from OIDC to access key/secret, and it worked fine. So I guess something about OIDC is wrong.
@aoyama-val what is the definition for the role that you are using for OIDC? Pay special attention at the Condition
section
Carefully checked it but everything seemed correct. Also tried deleting the whole Condition
, but nothing changed.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/oidc.circleci.com/org/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
},
"Action": "sts:AssumeRoleWithWebIdentity"
}
]
}
Orb version
9.1.0
What happened
Expected behavior
Push succeeds.