I am trying to push docker image to ECR from my mac. I added identity to aws-vault, but using aws-vault failed to obtain password. My peer has the same privilege and he can login to ECR without problem.
.aws % aws-vault list
Profile Credentials Sessions
======= =========== ========
identity identity -
.aws % ENCRYPTED_PASSWORD=$(aws-vault exec identity -- aws ecr get-login-password --region us-west-2)
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::97xxxxxxxxxx:user/xxxxx.xxxxxx#xxxxxxxxx.com is not authorized to perform: ecr:GetAuthorizationToken on resource: * with an explicit deny in an identity-based policy
We are using the same role. I intend to execute the following line once ENCRYPTED_PASSWORD is obtained--
aws-vault exec identity -- aws ecr --region us-west-2 | docker login -u AWS -p ${ENCRYPTED_PASSWORD} xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-ecr
My .aws/config has this line refer to the above.
[profile identity]
Since my teammate has the same policy/permission, I don't see "GetAuthorizationToken" as an issue. What else? I'm trying to find a way to push my docker images from Mac to the ECR.
Completely redo the config, linked all roles to identity.
[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa
[profile identity]
Now is the token issue-- I entered the code from MFA Authenticator but failed
.aws % aws-vault exec xx-xxxx-main-admin -- aws ecr get-login --region us-west-2
Warning: parent_profile is deprecated, please use include_profile instead in your AWS config
Enter token for arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxxx.xxxx#xxxxxx.com: **125492**
aws-vault: error: exec: Failed to get credentials for xx-xxxx-main-admin: AccessDenied: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.
status code: 403, request id: 25808115-d9fa-480d-87d4-xxxxxxxxxxxxx
Doesn't look like the token is valid from Authenticator MFA
first aws-vault "GetAuthorizationToken" was caused by an unhealthy, ilformatted ~/.aws/config file. Roles must be specified with the following format--
[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa
[profile identity]
Second part is MFA issue. MFA serial number must match what you configured in your authenticator. (DUO, Authy, Authenticator...) Your ~/.aws/config should have this section--
[profile mfa]
mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxx.xxxx#xxxxx.com
Related
The UI path works for me. So let me walk you through this first.
log in with SSO URL
Choose the account from SSO and AWS Console opens
Assume another role
Open s3 and it works
Now I tried to do the same thing with CLI
log in with SSO
Copy access_key, secret_key, session_token from SSO page
Run export for access_key, secret_key, session_token in CLI
Run aws s3 ls to test but didn't work (no problem)
Run aws sts assume-role but didn't work
$ aws sts assume-role --role-arn "arn:aws:iam::123456789:role/SomeRole" --role-session-name AWSCLI-Session --region ap-southeast-2
=> An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789:assumed-role/AWSReservedSSO_some_role_assume_all_123abc/myid#some.domain is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/SomeRole
I have found the answer. For the second part in my question, step 1 and 2 are wrong.
First you need to run
aws configure sso
This will run some magic and set up a profile under ~/.aws/config
Then you need to run aws sts assume-role with the flag --profile and the value is the newly created profile.
Then it will work.
I have a docker image in AWS ECR which is in my secondary account. I want to pull that image to the Minikube Kubernetes cluster using AWS IAM Role ARN where MFA is enabled on it. Due to this, my deployment failed while pulling the Image.
I enabled the registry-creds addon to access ECR Image but didn't work out.
May I know any other way to access AWS ECR of AWS Account B via AWS IAM Role ARN with MFA enabled using the credential of the AWS Account A?
For example, I provided details like this
Enter AWS Access Key ID: Access key of Account A
Enter AWS Secret Access Key: Secret key of Account A
(Optional) Enter AWS Session Token:
Enter AWS Region: us-west-2
Enter 12 digit AWS Account ID (Comma separated list): [AccountA, AccountB]
(Optional) Enter ARN of AWS role to assume: <role_arn of AccountB>
ERROR MESSAGE:
Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials
Warning Failed 2s (x3 over 42s) kubelet Error: ErrImagePull
While the minikube addons based solution shown by #DavidMaze is probably cleaner and generally preferable, I wasn't able to get it to work.
Instead, I found out it is possible to give the service account of the pod a copy of the docker login tokens in the local home. If you haven't set a serviceaccount, it's default:
# Log in with aws ecr get-login or however
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
This will work fine in a bind.
Minikube doesn't have a way to provide the MFA token. You need to create temporary credentials somehow and provide those credentials to minikube addons configure registry-creds.
My day job uses aws-vault and so my typical sequence for setting this up involves running
aws-vault exec some-profile -- env | grep AWS
minikube addons configure registry-creds
and then copying the temporary access key (starts with ASIA...), secret, and session token into the Minikube configuration. I do not enter a role ARN in the final prompt; the temporary credentials are already associated with the right AWS role.
The same restrictions and workaround would apply if you were using the Kubernetes-level imagePullSecrets.
I'm trying to push a Docker image from Dockerfile built to AWS ECR but when run this command:
$ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
appears the error:
An error occurred (AccessDeniedException) when calling the
GetAuthorizationToken operation: User:
arn:aws:iam::477629773586:user/albertosanmartin is not authorized to
perform: ecr:GetAuthorizationToken on resource: * Error: Cannot
perform an interactive login from a non TTY device
I have installed and configured those files:
~/.aws/configure:
[default]
...
[mrthink]
region = eu-west-1
output = json
~/.aws/credentials
[default]
...
[mrthink]
aws_access_key_id = ****
aws_secret_access_key = ****
Seems to the command api get other user "albertosanmartin"
Anybody could help me please ?
Thanks in advance.
If you have your credentials configured under mrthink profile name in ~/.aws/credentials you need to pass the --profile param to the aws cli
$ aws --profile mrthink ecr get-login-password \
--region eu-west-1 |\
docker login --username AWS \
--password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
The user arn:aws:iam::477629773586:user/albertosanmartin doesnt have access to ECR
You can double-check your credentials via sts get-caller-identity call if they are which you want to use.
I am authenticating via the following
First I authenticate into AWS via the following
aws ecr get-login-password --region cn-north-1 | docker login --username AWS --password-stdin xxxxxxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn
Then I created the regcred file that I reference in my deployment config
kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/noobskie/.docker/config.json --type=kubernetes.io/dockerconfigjson
So this was working fine the first 12 hours but now that the AWS token has expired I am having trouble figuring out how to properly refresh it. I have rerun the first command but it doesn't work.
the error I get is
Error response from daemon: pull access denied for xxxxxxxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn/baopals, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.
EDIT
I have just discovered that I can just reconfigure with the following command but I am curious if this is the correct way to handle it and if there are any other AWS ways offered.
kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/noobskie/.docker/config.json --dry-run -o yaml | kubectl apply -f -
Use the following command to generate token if aws-cli and aws-iam-authenticator is installed and configured.
aws-iam-authenticator token -i cluster name
I have Jenkins setup for deploying my docker images to a Amazon ECR repository.
I have enabled 2FA in my AWS account for the IAM user. I have attached all admin polices to my IAM User. I am following the below command to push my docker image source to Amazon ECR repository.
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
Ref Link : https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Jenkins Code:
export aws configure
export AWS_ACCESS_KEY_ID=AKIAJ6CAU****
export AWS_SECRET_ACCESS_KEY=TRXaGmEHN5******
export AWS_DEFAULT_REGION=eu-west-2
$(aws ecr get-login --no-include-email --region eu-west-2)
docker tag add-product:latest 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER
docker push 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER
I have facing the issue when I deploy to Amazon ECR.
"An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials"
"An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code"
Ref Link :
AWS ECR GetAuthorizationToken
anyway ECR token has a short expiry cycle, you can try to use ecr credential helper instead.
and point your docker to leverage on the helper
{
"credHelpers": {
"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}
}
refer: https://lwpro2.wordpress.com/2019/10/30/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/
See if the aws-generated AWS_SECRET_ACCESS_KEY has "/". If you have the "/" generate a new AWS_SECRET_ACCESS_KEY without and add that it will work \o/