Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS ECR: ecr:TagResource seems required now #416

Closed
bradonkanyid opened this issue Dec 21, 2022 · 8 comments
Closed

AWS ECR: ecr:TagResource seems required now #416

bradonkanyid opened this issue Dec 21, 2022 · 8 comments

Comments

@bradonkanyid
Copy link

We started getting errors in our swaps w/ k8s-image-swapper around ecr:CreateRepository (seeing this in cloudtrail), because of the missing permission ecr:TagResource.

Adding the ecr:TagResource action to our IAM policy for IRSA did fix the problem, so I think the docs just need updated.

@estahn
Copy link
Owner

estahn commented Dec 22, 2022

@bradonkanyid Thanks for the report. What version of k8s-image-swapper did you see these issues in?

@dex4er
Copy link

dex4er commented Jan 4, 2023

@estahn I've got the same issue, it was 1.3.0 installed from the Helm chart.

@estahn
Copy link
Owner

estahn commented Jan 25, 2023

@dex4er Just revisiting this and double-checking. There has been a change in regards to tags in 1.4.0, but not 1.3.0. Can you double check you were running 1.3.0?

@dex4er
Copy link

dex4er commented Jan 25, 2023

I run 1.3.3. It was the latest docker image available 3 weeks ago and I haven't done an upgrade yet.

@estahn
Copy link
Owner

estahn commented Jan 25, 2023

@dex4er Thanks for checking. I will amend the IAM policy in the documentation. I can't find any changes relating to this though, which seems odd.

https://github.com/estahn/k8s-image-swapper/blame/v1.3.3/pkg/registry/ecr.go

@bradonkanyid
Copy link
Author

bradonkanyid commented Jan 26, 2023

We received the following from AWS recently:

Description
This message is to inform you that Allow access will be needed for the ecr:TagResource and ecr:CreateRepository actions to create a repository with tags effective February 28, 2023.

Customers can use IAM policies to control which IAM users or roles have access to create or manage ECR repositories. This change ensures that IAM users or roles creating repositories also have permission to tag these resources upon creation. If your IAM users or roles that create ECR repositories already have Allow access to tag resources, then no action is required.

Starting February 28, 2023, if you do not have Allow access to both ecr:TagResource and ecr:CreateRepository actions when creating a repository with tags, CreateRepository calls will fail with AccessDeniedException.

Below is an example of the policy change needed for a CreateRepository call with tags to succeed.

Before:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository"
],
"Resource": "*"
}
]
}

After:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:TagResource"
],
"Resource": "*"
}
]
}

You can learn more about the CreateRepository action [1], and ECR’s IAM actions in our documents [2].

If you have any questions or concerns, please contact AWS Support [3].

[1] https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html
[2] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html#amazonelasticcontainerregistry-resources-for-iam-policies
[3] https://aws.amazon.com/support

I'm not sure why we are running into this issue prior to their Feb 28th deadline, however.

@estahn
Copy link
Owner

estahn commented Jan 27, 2023

@bradonkanyid Thanks for this. AWS may have rolled this out in certain regions prior to the deadline. At least I wouldn't put it past them.

@estahn
Copy link
Owner

estahn commented Feb 13, 2024

Closing as not further action appears to be required.

@estahn estahn closed this as completed Feb 13, 2024
rattboi pushed a commit to rattboi/k8s-image-swapper that referenced this issue May 29, 2024
## [1.3.0](estahn/k8s-image-swapper@v1.2.3...v1.3.0) (2022-09-07)

### 🎉 Features

* cross account caching with role ([estahn#336](estahn#336)) ([98d138e](estahn@98d138e))

### ⬆️ Dependencies

* **deps:** bump actions/cache from 3.0.6 to 3.0.8 ([estahn#319](estahn#319)) ([245ab30](estahn@245ab30)), closes [estahn#809](estahn#809) [estahn#833](estahn#833) [estahn#810](estahn#810) [#888](https://github.com/estahn/k8s-image-swapper/issues/888) [#891](https://github.com/estahn/k8s-image-swapper/issues/891) [#899](https://github.com/estahn/k8s-image-swapper/issues/899) [#894](https://github.com/estahn/k8s-image-swapper/issues/894)
* **deps:** bump alpine from 3.16.1 to 3.16.2 ([da05fdd](estahn@da05fdd))
* **deps:** bump github.com/alitto/pond from 1.8.0 to 1.8.1 ([estahn#342](estahn#342)) ([4e50c28](estahn@4e50c28)), closes [alitto/pond#33](alitto/pond#33) [estahn#34](estahn#34) [estahn#32](estahn#32)
* **deps:** bump github.com/aws/aws-sdk-go from 1.44.70 to 1.44.92 ([0f396c5](estahn@0f396c5))
* **deps:** bump github.com/aws/aws-sdk-go from 1.44.70 to 1.44.92 ([estahn#338](estahn#338)) ([fa795ae](estahn@fa795ae)), closes [#4548](https://github.com/estahn/k8s-image-swapper/issues/4548) [#4546](https://github.com/estahn/k8s-image-swapper/issues/4546) [#4545](https://github.com/estahn/k8s-image-swapper/issues/4545) [#4544](https://github.com/estahn/k8s-image-swapper/issues/4544) [#4543](https://github.com/estahn/k8s-image-swapper/issues/4543) [#4542](https://github.com/estahn/k8s-image-swapper/issues/4542) [#4539](https://github.com/estahn/k8s-image-swapper/issues/4539) [#4536](https://github.com/estahn/k8s-image-swapper/issues/4536) [#4534](https://github.com/estahn/k8s-image-swapper/issues/4534) [#4533](https://github.com/estahn/k8s-image-swapper/issues/4533)
* **deps:** bump github.com/go-co-op/gocron from 1.16.2 to 1.17.0 ([estahn#340](estahn#340)) ([645bef3](estahn@645bef3)), closes [go-co-op/gocron#380](go-co-op/gocron#380) [go-co-op/gocron#381](go-co-op/gocron#381) [go-co-op/gocron#375](go-co-op/gocron#375) [estahn#381](estahn#381) [estahn#380](estahn#380) [estahn#375](estahn#375)
* **deps:** bump github.com/gruntwork-io/terratest from 0.40.19 to 0.40.21 ([estahn#334](estahn#334)) ([d0f6c39](estahn@d0f6c39)), closes [#1166](https://github.com/estahn/k8s-image-swapper/issues/1166) [#1159](https://github.com/estahn/k8s-image-swapper/issues/1159)
* **deps:** bump github.com/rs/zerolog from 1.27.0 to 1.28.0 ([estahn#339](estahn#339)) ([7fb4ff5](estahn@7fb4ff5)), closes [estahn#457](estahn#457) [estahn#416](estahn#416) [estahn#454](estahn#454) [estahn#453](estahn#453) [estahn#383](estahn#383) [estahn#396](estahn#396) [estahn#414](estahn#414) [estahn#415](estahn#415) [estahn#430](estahn#430) [estahn#432](estahn#432)
* **deps:** bump github.com/spf13/viper from 1.12.0 to 1.13.0 ([estahn#341](estahn#341)) ([9b59bd4](estahn@9b59bd4)), closes [spf13/viper#1371](spf13/viper#1371) [spf13/viper#1373](spf13/viper#1373) [spf13/viper#1393](spf13/viper#1393) [spf13/viper#1424](spf13/viper#1424) [spf13/viper#1405](spf13/viper#1405) [spf13/viper#1414](spf13/viper#1414) [spf13/viper#1387](spf13/viper#1387) [spf13/viper#1374](spf13/viper#1374) [spf13/viper#1375](spf13/viper#1375) [spf13/viper#1378](spf13/viper#1378) [spf13/viper#1360](spf13/viper#1360) [spf13/viper#1381](spf13/viper#1381) [spf13/viper#1384](spf13/viper#1384) [spf13/viper#1383](spf13/viper#1383) [spf13/viper#1395](spf13/viper#1395) [spf13/viper#1420](spf13/viper#1420) [spf13/viper#1422](spf13/viper#1422) [spf13/viper#1412](spf13/viper#1412) [spf13/viper#1373](spf13/viper#1373) [spf13/viper#1393](spf13/viper#1393) [spf13/viper#1371](spf13/viper#1371) [spf13/viper#1387](spf13/viper#1387) [spf13/viper#1405](spf13/viper#1405) [spf13/viper#1414](spf13/viper#1414)
* **deps:** bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0 ([estahn#328](estahn#328)) ([a8d2dd1](estahn@a8d2dd1)), closes [estahn#369](estahn#369) [estahn#357](estahn#357) [estahn#356](estahn#356) [estahn#360](estahn#360) [estahn#359](estahn#359) [estahn#358](estahn#358) [estahn#367](estahn#367) [estahn#369](estahn#369) [estahn#367](estahn#367) [estahn#358](estahn#358) [estahn#359](estahn#359) [estahn#360](estahn#360) [estahn#357](estahn#357) [estahn#356](estahn#356)
* **deps:** bump k8s.io/api from 0.24.3 to 0.25.0 ([estahn#325](estahn#325)) ([ce10907](estahn@ce10907)), closes [#111657](https://github.com/estahn/k8s-image-swapper/issues/111657) [#109090](https://github.com/estahn/k8s-image-swapper/issues/109090) [#111258](https://github.com/estahn/k8s-image-swapper/issues/111258) [#111113](https://github.com/estahn/k8s-image-swapper/issues/111113) [#111696](https://github.com/estahn/k8s-image-swapper/issues/111696) [#108692](https://github.com/estahn/k8s-image-swapper/issues/108692)
* **deps:** bump k8s.io/client-go from 0.24.3 to 0.25.0 ([estahn#324](estahn#324)) ([f7c889f](estahn@f7c889f))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants