Search code examples
amazon-web-servicesdockeraws-cliamazon-ecr

use aws-vault to push docker image to ECR failed

I am trying to push docker image to ECR from my mac. I added identity to aws-vault, but using aws-vault failed to obtain password. My peer has the same privilege and he can login to ECR without problem.

.aws % aws-vault list                                                                                
    Profile                  Credentials              Sessions                 
    =======                  ===========              ========                 
    identity                 identity                 -                        
.aws % ENCRYPTED_PASSWORD=$(aws-vault exec identity -- aws ecr get-login-password --region us-west-2)
    
    An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::97xxxxxxxxxx:user/xxxxx.xxxxxx@xxxxxxxxx.com is not authorized to perform: ecr:GetAuthorizationToken on resource: * with an explicit deny in an identity-based policy

We are using the same role. I intend to execute the following line once ENCRYPTED_PASSWORD is obtained--

aws-vault exec identity -- aws ecr --region us-west-2 | docker login -u AWS -p ${ENCRYPTED_PASSWORD} xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-ecr

My .aws/config has this line refer to the above.

[profile identity]

Since my teammate has the same policy/permission, I don't see "GetAuthorizationToken" as an issue. What else? I'm trying to find a way to push my docker images from Mac to the ECR.

Completely redo the config, linked all roles to identity.

[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa

[profile identity]

Now is the token issue-- I entered the code from MFA Authenticator but failed

.aws % aws-vault exec xx-xxxx-main-admin  -- aws ecr get-login --region us-west-2
Warning: parent_profile is deprecated, please use include_profile instead in your AWS config
Enter token for arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxxx.xxxx@xxxxxx.com: **125492**
aws-vault: error: exec: Failed to get credentials for xx-xxxx-main-admin: AccessDenied: MultiFactorAuthentication failed, unable to validate MFA code.  Please verify your MFA serial number is valid and associated with this user.
    status code: 403, request id: 25808115-d9fa-480d-87d4-xxxxxxxxxxxxx

Doesn't look like the token is valid from Authenticator MFA

Solution
    1. first aws-vault "GetAuthorizationToken" was caused by an unhealthy, ilformatted ~/.aws/config file. Roles must be specified with the following format--
    [profile xx-xxxx-services-monitoring]
  role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
  source_profile=identity
  sparent_profile=mfa
   
[profile identity]
    1. Second part is MFA issue. MFA serial number must match what you configured in your authenticator. (DUO, Authy, Authenticator...) Your ~/.aws/config should have this section--
    [profile mfa]
   mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxx.xxxx@xxxxx.com