Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to list tags from Amazon container image registries (602401143452.dkr.ecr.us-east-1.amazonaws.com) #167

Closed
pbc0810 opened this issue Mar 20, 2024 · 1 comment · Fixed by #182
Closed

Not able to list tags from Amazon container image registries (602401143452.dkr.ecr.us-east-1.amazonaws.com) #167

pbc0810 opened this issue Mar 20, 2024 · 1 comment · Fixed by #182
Assignees
@joshw123

Comments

@pbc0810
Copy link

pbc0810 commented Mar 20, 2024
edited
Loading

Version checker is deployed on EKS with IAM role attached to service account with read only access to ECR.
Getting AccessDeniedException for image 602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver
As per document https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html Read only access to ecr is already given.

time="2024-03-20T09:55:03Z" level=error msg="error syncing 'ebs-csi-node-dvwxj/kube-system': failed to sync pod ebs-csi-node-dvwxj/kube-system: 
  failed to check container image \"ebs-plugin\": failed to get tags from remote registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/aws-ebs-csi-driver\": 
  failed to describe images: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/version-checker-role/1710928471956841718 is not authorized 
  to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/aws-ebs-csi-driver because no resource-based policy allows 
  the ecr:DescribeImages action\n\tstatus code: 400, request id: 4698a080-c6ec-4869-b17e-d67b0aaedfc4,failed to check container image \"node-driver-registrar\":
  failed to get tags from remote registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/csi-node-driver-registrar\": failed to describe images:
  AccessDeniedException: User: arn:aws:sts::xxxxxxxx:assumed-role/version-checker-role/1710928471956841718 is not authorized to perform: ecr:DescribeImages 
  on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/csi-node-driver-registrar because no resource-based policy allows the ecr:DescribeImages 
  action\n\tstatus code: 400, request id: d619d42a-360e-4e44-b027-d64ddc84db43,failed to check container image \"liveness-probe\": failed to get tags from remote 
  registry for \"602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/livenessprobe\": failed to describe images: AccessDeniedException: User: arn:aws:sts::xxxxxxx:assumed-role/version-checker-role/1710928471956841718 
  is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-east-1:602401143452:repository/eks/livenessprobe because no resource-based policy allows the ecr:DescribeImages action\n\tstatus code: 
  400, request id: 090fc9fb-4b95-40ec-9d2a-bd31323beb52, requeuing" module=controller
@davidcollom
Copy link
Collaborator

I think this is a duplicate of #146

@joshw123 joshw123 self-assigned this Apr 12, 2024
@joshw123 joshw123 mentioned this issue Apr 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joshw123 joshw123

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade AWS SDK to V2, Fix Multi Regional Issues jetstack/version-checker
3 participants
@davidcollom @pbc0810 @joshw123