Comments (3)
A response from AWS support on this topic:
Hello ***,
*** here from AWS support! It was nice speaking with you over the call today. Please find below a quick recap of our discussion.
You reached out to us as you are unable to describe images from the AWS owned EKS private ECR repository "***.dkr.ecr.us-west-2.amazonaws.com".
----
failed to describe images: AccessDeniedException: User: *** is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-west-2:***:repository/eks/aws-ebs-csi-driver because no resource-based policy allows the ecr:DescribeImages action
----
In order to assist you better, I tried to replicate use-case in my internal account. I logged into the AWS Public ECR repository "***.dkr.ecr.us-west-2.amazonaws.com". After that I tried to describe the images from the repository and got the similar errors as shown below:
----
aws ecr describe-images --registry-id *** --repository-name ***.dkr.ecr.us-west-2.amazonaws.com --region us-west-2
An error occurred (AccessDeniedException) when calling the DescribeImages operation: User: arn:aws:sts::***:assumed-role/Admin is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-west-2:***:repository/***.dkr.ecr.us-west-2.amazonaws.com because no resource-based policy allows the ecr:DescribeImages action
----
I further tried to pull the images from this repository and I was able to download the image successfully.
Therefore, I checked internally and found that users do not have access/permissions to list/query the Amazon's ECR repositories ( for example:- ***.dkr.ecr.us-west-2.amazonaws.com). They only have pull access to download the images from the Amazon's ECR repositories.
However, If you still would like to get the detailed information about the Amazon's ECR images, then You first have to download that image and push the same image to your own ECR repositories as shown below:-
----
1. $ docker tag ***.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.0 <tag>
2. $ docker push <image>
3. $ aws ecr describe-images --registry-id <repository> --image-ids imageTag=controller-v2.4.0 --region us-west-2
{
"imageDetails": [
{
"registryId": "",
"repositoryName": "",
"imageDigest": "sha256:618bf3158323a641e4e6a79d3879dd8439776a4d8fdbb32ba8c1d6c3295c582e",
"imageTags": [
"controller-v2.4.0"
],
"imageSizeInBytes": 18961873,
"imagePushedAt": 1655874766.0,
----
I hope the above information will be helpful. Should you have any further concerns or issue regarding this case feel free to let me know I'll be more than happy to help you. I will keep this case in Pending for now and will set it to resolve by Monday.
Thank you and have a great day ahead!
We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence.
Best regards,
***
Amazon Web Services
So the issue here is on the AWS side. Since we can't list images there likely isn't a simple way to make this work.
I'll close this issue since its not something wrong with this app.
from version-checker.
@davidcollom I've reopened this issue since @silazare has pointed out that this is now something that sounds like it could be implemented with minor work
from version-checker.
Faced the same issue and seems it was fixed in aws/containers-roadmap#1262
I've tried with AmazonEC2ContainerRegistryReadOnly
policy attached to EKS node and from node itself we can list tags with token, but from app side the same policy doesn't work with Not Authorized
error:
[root@ip-192-168-246-14 /]# TOKEN=$(curl -k https://public.ecr.aws/token/ | jq -r '.token')
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1625 100 1625 0 0 5811 0 --:--:-- --:--:-- --:--:-- 5803
[root@ip-192-168-246-14 /]# curl -k -H "Authorization: Bearer $TOKEN" https://public.ecr.aws/v2/eks/aws-load-balancer-controller/tags/list | jq . | head
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1353 100 1353 0 0 3822 0 --:--:-- --:--:-- --:--:-- 3832
{
"name": "eks/aws-load-balancer-controller",
"tags": [
"v2.4.1",
"v2.5.4-linux_amd64",
"v2.4.7",
"v2.3.0-linux_amd64",
"v2.5.1",
"v2.5.2-linux_arm64",
"v2.5.4",
I assume that it needs to fetch the token for public.ecr.aws
in the ECR client.
from version-checker.
Related Issues (20)
- add nodeSelector to the chart
- Helm Chart Upgrades Fail due to immutable selector fields in deployment.
- Feat req.: Add deployment tolerations
- Read proxy from environment when using the fallback/selfhosted client
- version-checker throws "failed to describe images" error when version-checker and ECR repository are in different region
- Issue with GKE, Grafana, CertManager, SonarQube latest version and SHA tag and old metric HOT 1
- Publish helm chart also as an OCI package (e.g. on GHCR/quay.io registry)
- Wrong latest image tag for selfhosted repositories HOT 1
- Helm charts unpublished for versions > v0.3.3 HOT 4
- Not able to list tags from Amazon container image registries (602401143452.dkr.ecr.us-east-1.amazonaws.com) HOT 1
- Write version-checker roadmap HOT 3
- getting started video / guide
- Github client uses releases rather than packages for user repositories
- Support multiple Subfolders in Registry
- Cannot check packages stored on the Github Container Registry
- Support multiple architecture discovery
- Helm chart define Namespace HOT 2
- Define credentials as a environment variable HOT 1
- Cleanup deployment template in chart
- Increase test coverage
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from version-checker.