Version checker is deployed on EKS with IAM role attached to service account with read only access to ECR.
Getting AccessDeniedException for image 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver
As per document https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html Read only access to ecr is already given.
time="2024-03-20T09:55:03Z" level=error msg="error syncing 'ebs-csi-node-dvwxj/kube-system': failed to sync pod ebs-csi-node-dvwxj/kube-system:
failed to check container image \"ebs-plugin\": failed to get tags from remote registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver\":
failed to describe images: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/version-checker-role/1710928471956841718 is not authorized
to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/aws-ebs-csi-driver because no resource-based policy allows
the ecr:DescribeImages action\n\tstatus code: 400, request id: 4698a080-c6ec-4869-b17e-d67b0aaedfc4,failed to check container image \"node-driver-registrar\":
failed to get tags from remote registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/csi-node-driver-registrar\": failed to describe images:
AccessDeniedException: User: arn:aws:sts::xxxxxxxx:assumed-role/version-checker-role/1710928471956841718 is not authorized to perform: ecr:DescribeImages
on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/csi-node-driver-registrar because no resource-based policy allows the ecr:DescribeImages
action\n\tstatus code: 400, request id: d619d42a-360e-4e44-b027-d64ddc84db43,failed to check container image \"liveness-probe\": failed to get tags from remote
registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/livenessprobe\": failed to describe images: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/version-checker-role/1710928471956841718
is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/livenessprobe because no resource-based policy allows the ecr:DescribeImages action\n\tstatus code:
400, request id: 090fc9fb-4b95-40ec-9d2a-bd31323beb52, requeuing" module=controller
Version checker is deployed on EKS with IAM role attached to service account with read only access to ECR. Getting AccessDeniedException for image 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver As per document https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html Read only access to ecr is already given.