I'm trying to setup my Node project with AWS CodeBuild.

version: 0.2
phases:

  pre_build:
    commands:
      - $(aws ecr get-login)
      - TAG="$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | head -c 8)"

  build:
    commands:
      - docker build -t "${REPOSITORY}:${TAG}" .

  post_build:
    commands:
      - docker push "${REPOSITORY}:${TAG}"

When I trigger a build, command $(aws ecr get-login) fails:

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User is not authorized to perform: ecr:GetAuthorizationToken on resource: * [Container] 2018/10/26 10:04:12 Command did not exit successfully $(aws ecr get-login) exit status 255

In IAM console, the user has these policies attached:

• AmazonEC2ContainerRegistryFullAccess
• AmazonEC2ContainerRegistryPowerUser

and both contain ecr:GetAuthorizationToken permission.

What am I missing?

Solved. I needed to give ecr:GetAuthorizationToken permission to the role, instead of to the user.

Had similar issue but attaching AmazonEC2ContainerRegistryReadOnly or AmazonEC2ContainerRegistryPowerUser or AmazonEC2ContainerRegistryFullAccess policies to codebuild role did nothing

Solved by creating my own policy and attaching it to codebuild role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload"
            ],
            "Resource": "%YOUR_REPOSITORY_ARN"
        }
    ]
}