I am running ECS instance with amazon provide ECSInstance role, whose policies in JSON looks like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeTags",
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:UpdateContainerInstancesState",
"ecs:Submit*",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
I can see ECR specific access which includes Submit* and "ecr:BatchGetImage" etc, using which I should be simply able to pull any images in my ECR but when I try to do that, it gives me below error:
An error occurred (AccessDeniedException) when calling the DescribeRepositories operation: User: arn:aws:sts::755671380468:assumed-role/ecsInstanceRole/i-0e3a77458fe98d842 is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:ap-south-1:755671380468:repository/*
Now, As error message indicates it doesn't have ecr:DescribeRepositories and when I tried to add inline policy and searched for ecr It didn't give any result, so how can I add this or some other policy to my existing role so that my ECS instance is able to download and push the images to ECR?
You can add the following inline policy to your ECSInstance role, and check how it goes:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:DescribeRepositories",
"Resource": "*"
}
]
}