I have tried to set up the suggested setup following the documentation but the deploy keeps failing.
#2 ERROR: unexpected status from HEAD request to https://ecr-account-arn.dkr.ecr.us-east-1.amazonaws.com/v2/docker-image/manifests/4.0.1: 401 Unauthorized
- I created a role in the ECR Account with this arn
"arn:aws:iam::<ecr-account-arn>:role/QoveryECRRead"
and this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImageReplicationStatus",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:BatchGetRepositoryScanningConfiguration",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy"
],
"Resource": "arn:aws:ecr:*:<ecr-account-arn>:repository/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ecr:GetRegistryPolicy",
"ecr:DescribeRegistry",
"ecr:GetAuthorizationToken",
"ecr:GetRegistryScanningConfiguration"
],
"Resource": "*"
}
]
}
- I added a
trust relationship
to this role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<qovery-account-arn>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
- Finally, I added this inline policy to the existing Qovery user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ecr-account-arn:role/QoveryECRRead"
}
]
}
If I try to assume the role in my local though aws cli aws sts assume-role
I am able to run commands, so I assume that the auth is well configured.
Is this setup supported already by Qovery? I guess if Iâm doing anything wrong. Thank you!