Pusing docker image to public ECR gets 403 Forbidden error
Hi,
I tried to push a docker image to my public ECR. After creating access keys for my iam user and granting "AmazonEC2ContainerRegistryFullAccess" permission and two inline policies, ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken, as described in the documentation
https://docs.aws.amazon.com/AmazonECR/latest/public/docker-push-ecr-image.html,
I did the following as described in ECR push commands.
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/<repo alias>
docker tag <source_image> public.ecr.aws/<repo alias>/<target image>
docker push public.ecr.aws/<repo alias>/<target image>
This throws the following error
unknown: unexpected status from HEAD request to https://public.ecr.aws/v2/<repo alias>/<repo_name>/blobs/sha256:8c7716127147648c1751940b9709b6325f2256290d3201662eca2701cadb2cdf: 403 Forbidden
I need help what this error is about and how to solve it. Thanks.
- Topics
- Containers
- Language
- English
asked 8 months ago1.5K views
- Newest
- Most votes
- Most comments
Hello.
If you are pushing container images to a public ECR repository, try also setting the IAM policy "AmazonElasticContainerRegistryPublicFullAccess".
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticContainerRegistryPublicFullAccess.html
When you encounter a 403 Forbidden error while pushing Docker images to Amazon ECR Public, there are several potential causes and solutions to consider:
- Authentication Issues:
- Make sure you're using the correct command for public ECR authentication. Always authenticate to the us-east-1 region for ECR Public:
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws - If you've previously authenticated and your token has expired, try logging out first:
docker logout public.ecr.awsThen authenticate again.
- Permission Issues:
- Verify that your IAM user has the necessary permissions. While you've added "AmazonEC2ContainerRegistryFullAccess" and the inline policies for ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken, you might still be missing specific permissions needed to push to the repository.
- Check if there are any explicit deny statements in your IAM policies that might be preventing the push operation.
- Ensure you have the ecr-public:PutImage permission specifically.
- Repository Configuration:
- Confirm that you have created the repository in ECR Public before attempting to push to it.
- Verify that you're using the correct repository URI format for public ECR.
- Docker Image Issues:
- Make sure your Docker image is properly tagged with the correct repository URI.
- Check if there are any issues with the image itself that might be causing the push to fail.
If you're still experiencing issues after checking these points, you might want to verify your AWS credentials configuration with aws configure list and ensure you're using the latest version of the AWS CLI.
Sources
Troubleshooting Docker commands and issues when using Amazon ECR - Amazon ECR
Forbidden to login ECR Public | AWS re:Post
AWS Marketplace managed Amazon Elastic Container Registry (Amazon ECR): Controlling access and permissions | AWS Marketplace
answered 8 months ago
- DL8 months ago
I verified aws credentials with
aws configure
Relevant content
asked 3 years ago
asked 4 years ago
asked 2 years ago
