Push to ECR ignoring provided AWS creds, assuming IAM role instead

[christopher-wong]

I have Concourse setup in an Amazon EKS (k8s) cluster. The cluster has an IAM role that provides it to access a restricted set of resources needed to maintain the cluster.

Concourse is additionally seeded with a specific Concourse IAM user (via secret_access_key and access_key_id) that has access to ECR.

When I use that IAM user to push to ECR, I get a denied and not authorized to perform error. Weirdly, the role the error message references is the assumed IAM role of the cluster, and not the Concourse user of the secret_access_key and access_key_id that I passed to the docker-image resource.

My resource configuration:

  - name: ecr-docker-reg
    type: docker-image
    source:
      access_key_id: ((aws-access-key-id-dev))
      secret_access_key: ((aws-secret-access-key-dev))
      repository: <ECR_REPO_URL_HERE>

I get the following output:

Successfully tagged <IMAGE_NAME>
18:13:35
The push refers to repository [<ECR_REPO_URL_HERE]
18:13:35
82dcad63e746: Preparing
18:13:35
a4c502aa9e69: Preparing
18:13:35
8137f1ad3edc: Preparing
18:13:35
beee9f30bc1f: Preparing
18:13:35
beee9f30bc1f: Waiting
18:13:35
denied: User: arn:aws:sts::<some-assumed-cluster-role> is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-west-2:<ECR_REPO_URL>

[xtremerui]

For a better experience with ECR, have you tried registry-image-resource that also support ECR?

Refer to #199 (comment)