I get AWS ECR exit status 255 despite using AWS ubuntu containers
Asked Answered
M

4

12

I am trying to build a docker container in AWS code build as a means to deploy a container to ECR, but I get this error.

Error while executing command: $(aws ecr get-login --region ap-southeast-1). Reason: exit status 255

enter image description here

This command was run on the buildspec.yml file, using aws/codebuild/ubuntu-base:14.04 and Enable this flag if you want to build Docker images or want your builds to get elevated privileges.

The log files are as follows:

[Container] 2018/10/11 00:52:49 Running command $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::502776083946:assumed-role/code-build-timesheet/AWSCodeBuild-f1d205b1-b03f-4727-a4d7-a02118021eec is not authorized to perform: ecr:GetAuthorizationToken on resource: *

[Container] 2018/10/11 00:52:52 Command did not exit successfully $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email) exit status 255
[Container] 2018/10/11 00:52:52 Phase complete: INSTALL Success: false
[Container] 2018/10/11 00:52:52 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email). Reason: exit status 255
Maladjustment answered 8/10, 2018 at 1:11 Comment(1)
Even Error while executing command: $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email). Reason: exit status 255 is not workingMaladjustment
M
48

This status code usually indicates an unauthorized user. To fix this, we need to let our Code Build role be able to talk to ECR. To do this: Go to IAM and then attach a AmazonEC2ContainerRegistryPowerUser policy to your CodeBuild role.

Marylnmarylou answered 9/4, 2019 at 4:24 Comment(1)
I was getting a similar error trying to invalidate my cloudfront cache - adding an IAM permission to do this to the codebuild role fixed the problemBrutality
D
5

The aws-cli version 2 has been updated and the command get-login was depreciated, you should use get-login-password.

aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login
--username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com

You can see the updated documentation to build a docker image in CodeBuild: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html

Duax answered 7/12, 2021 at 18:29 Comment(0)
E
0

Is there any more specific error in your cloudwatch log? Like AccessDenied or something else? There should be some details in the log around the failed command part. Thanks, Xin

Eberhardt answered 9/10, 2018 at 17:54 Comment(2)
Updated. it says unauthorized for get authorization tokenMaladjustment
Yes, you can add the related permission to your service role, you can refer to this doc: docs.aws.amazon.com/codebuild/latest/userguide/…Eberhardt
H
0

In my case, I added the permission but was still getting the same issue. Later found that my "Permissions boundary" in the IAM role was not letting the permission go through. So if you set Permission policies to allow ecr:GetAuthorizationToken but have Permissions boundary enabled as well then you need to add the same permission to the Permissions boundary (or remove Permissions boundary).

enter image description here

Hassan answered 25/3, 2021 at 9:31 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.