Permission problem - Githubissues

terraform-aws-modules / terraform-aws-ecr

Terraform module to create AWS ECR resources 🇺🇦

https://registry.terraform.io/modules/terraform-aws-modules/ecr/aws

Apache License 2.0

52 stars 111 forks source link

Permission problem #14

Closed es1o closed 1 year ago

es1o commented 1 year ago

Description

When I create a repository and add role to repository_read_write_access_arns that role doesn't have access to repository.

I need create role policy to add access to repository. Looks like ECR policy is omitted. Also when I create IAM role for access to repo looks like ECR policy doesn't restrict access. I think default DENY policy is missing, or I'm doing sth wrong.

[X] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

Module version [Required]:
Terraform version: 1.5.1
Provider version(s):

Reproduction Code [Required]

Steps to reproduce the behavior:

Create repository and add role arn to repository_read_write_access_arns. Role doesn't have configured policy other than stsAssumeRole. Permission denied when access to registry.

Expected behavior

Access to registry to roles provides to repository_read_write_access_arns

Actual behavior

Permission denied for role.

bryantbiggs commented 1 year ago

we will need some code to be able to troubleshoot and reproduce what you are claiming

es1o commented 1 year ago

Ok, my inputs to module (I'm using terragrunt)

inputs = {
  repository_name = "repo"

  create_lifecycle_policy = false

  repository_read_write_access_arns = [
    dependency.ecr-write-role.outputs.ecr_write_role_arn, # write role for github actions
    ]
  repository_read_access_arns = [
    "arn:aws:iam::dsadssdasda:role/eks-node-group-1", 
    "arn:aws:iam::dsadsadsadsas:role/eks-cluster2",
  ]
}

dependency.ecr-write-role.outputs.ecr_write_role_arn is an ARN for role. I don't have any permission attached to role. In this case I don't have access to ECR. For access I need to configure permissions in dependency.ecr-write-role.outputs.ecr_write_role_arn role.

bryantbiggs commented 1 year ago

you can use the example(s) provided by the project to create a reproduction that is deployable https://github.com/terraform-aws-modules/terraform-aws-ecr/blob/master/examples/complete/main.tf

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 1 year ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.