Is there a way to give users permission only to push/pull specific Docker images they own in AWS ECS Repo?
By this time you might have the solution, but sharing some info here:
Consider 2 users with the following permissions:
ecr-user with policy ARN: arn:aws:iam::aws:policy/AdministratorAccess who have admin permissions for all resources in AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
vault-user with policy ARN :arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy who has limited permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
You can get this info from IAM->Users and click on the Policy name attached to the user.
Consider below 2 repositories which are associated with users ecr-user and vault-user
the repo ecr-permissions is linked with ecr-user with the following permissions:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "denyAdmin",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::****:user/ecr-user"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:UploadLayerPart"
]
}
]
}
So with the above policy, you can even restrict admin user(ecr-user) to push to this repo.
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions:1.0
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/ecr-user is not authorized to perform: ecr:UploadLayerPart on resource: arn:aws:ecr:us-east-1:****:repository/ecr-permissions with an explicit deny
Similarly, you can allow non-admin/user[in this case vault-user] with read-only permission on ECR repo can push docker images by tuning the ECR repo policies as shown below.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "pushDocker",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::****:user/vault-user"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Before adding the above policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/vault-user is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:****:repository/rlokinen/first-ecr
after adding the policy:
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr:0.3
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/rlokinen/first-ecr]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
0.3: digest: sha256:dc85890ba9763fe38b178b337d4ccc802874afe3c02e6c98c304f65b08af958f size: 948
These policies are defined per REPO in ECR. ECR->Repositories-><REPO-NAME>permissions.
You can configure IAM users within your account to push and pull images.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::aws_account_id:user/push-pull-user-1",
"arn:aws:iam::aws_account_id:user/push-pull-user-2"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Reference: documentation
Related
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
Command I try to use is:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.
I want to grant access to myself.
I am always getting error:
An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'
I checked my AWS ARN and it ends with root.
i want to grant access to myself.
You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
NOTE: Replace <account #> with your AWS account ID.
Remove Resource in Policy json file
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Or you can set on AWS Console
Go to Amazon ECR > Repositories
Create Repository
Click what your create Repository
and go to permissions tab
Edit permissions -> Input the above json file
try resource in a format:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html
I am creating and running a task on my ECS fargate cluster.
Task definition (with role) and fargate cluster is already created.
When I use run task step in step function, I am getting following error,
{
"Error": "ECS.AccessDeniedException",
"Cause": "User: arn:aws:sts::xxxxxxxxxx:assumed-role/StepFunctions-my-state-machine-role-xxxxxxxxxx/xxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxx:role/my-app-dev-exec because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx; Proxy: null)"
}
The role attached to the step function has the following policies (as per the documentation provided by AWS https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task-definition/*:*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:eu-west-1:xxxxxxxxxx:rule/StepFunctionsGetEventsForECSTaskRule"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:ListExecutions",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:eu-west-1:xxxxxxxxxx:stateMachine:my-state-machine"
]
}
]
}
with following trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help with what additional permission I need to give to resolve the above permission issue? From the error, I am not able to figure out what additional permission is required.
If I attach AmazonECS_FullAccess (aws managed) policy to the role, job works perfectly.
Because your task will use an IAM Role, you need to specify the additional permission 'PassRole'.
The best practice is to restrict which roles can be passed. So is recommended to add a condition limiting to only allow to pass roles to ECS tasks.
Try adding this statement to your policy:
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
}
What's the Problem?
My IAM User has two policies: AdministratorAccess and ForceMultiFactorAuthentication. When ForceMultiFactorAuthentication policy is attached, from the Windows command-line, I get 403 errors when trying to do anything to the repository (ex: git clone ..). When I remove the policy, I can work with the repo (ex: git clone works).
My Question
Is there something about my ForceMultiFactorAuthentication policy that is preventing codecommit from working? How do I properly setup CodeCommit with Multi-factor authentication?
General Recreation Steps
Create an IAM user group named "Admins" with AdministratorAccess and ForceMultiFactorAuthentication permissions
Create a non-root IAM user
Add non-root IAM user to "Admins" group
Logged in as non-root IAM user, on Security Credentials tab, setup MFA auth (scan QR code, etc.), AND create HTTPS Git credentials for AWS CodeCommit
Create a repo in CodeCommit
From command-line, attempt git clone https://git-codecommit... locally
Command-line returns fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
My non-root IAM user removes ForceMultiFactorAuthentication policy from "Admins" group
git clone .. and it clones the repo. It works.
Doesn't make sense because...
My IAM user has AdministratorAccess. Plus, policy summary shows CodeCommit has full access to all resources.
My ForceMultiFactorAuthentication policy is below (and is very similar to AWS-provided one):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
The following section in your ForceMultiFactorAuthentication policy deny all requests (except the actions mentioned in the NotAction section) that are not authenticated using MFA
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
With HTTPS GIT credentials, you are authenticating to the CodeCommit repository using the username & password. There is no usage of session token (basically MFA code). So it is not possible to validate MFA for authentication. As a result your request is denied. Similar is the case with SSH key pair authentication for CodeCommit.
To fix this you can add required codecommit actions in the NotAction list of the policy. You need to include kms actions as well. Because data in CodeCommit repositories is encrypted in transit and at rest. So permission required for encrypt and decrypt actions while you are performing clone, pull or push activities from/to repos.
The following policy fix your CodeCommit 403 error.
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers",
"codecommit:GitPull",
"codecommit:GitPush",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
Since you have already attached Administrator access policy to your user, you don't require the entire content of ForceMultiFactorAuthentication policy. The above policy is sufficient. If you want to enable the MFA restriction for all IAM users(non-admin users), use entire content of your policy attach it to users.
I have created ecr repository to store docker images. I want to see if i can only provide read-only access to ec2 instance . My ec2 instance has been given a role which comprise of the perimssion : AmazonEC2ContainerRegistryReadOnly which can be seens as --
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
My ecr policy reads like:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ecr repo policy",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::531523267983:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
But when i am trying to push a docker image from my ec2 instance to this repository , i am successfully able to push that , even though i have provided readonly access to my ec2 instance. Where am i going wrong
I'm following the tutorial found here to use an on-premise server with CodeDeploy. I'm a little confused with the first couple of steps. When I'm creating a role for the on-premise server to assume, what should I choose as the service that will use this role (in the console)? I do understand what policy the role should have, allowing actions s3:Get and s3:List for all resources. To provide additional info, I want to use the aws-codedeploy-session-helper tool to periodically refresh the session credentials for me, and the policy for the IAM user this tool uses is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:ListAccessKeys",
"iam:ListUserPolicies",
"iam:PutUserPolicy",
"iam:GetUser",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"autoscaling:*",
"codedeploy:*",
"ec2:*",
"lambda:*",
"elasticloadbalancing:*",
"s3:*"
],
"Resource": "*"
}
]
}
You would need to allow the on-premise server to call the STS assume role API, so the service should "STS"
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/<ROLENAME>"
}
}
Then in the IAM Role, add a "Trust" Policy for the server.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USER-NAME>"
},
"Action": "sts:AssumeRole"
}
]
}