You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue
version-checker application runs as part of EKS cluster in eu-central-1 region. The ECR repository that it tries to get the tags from located in a seperate AWS account in us-west-2 region. With this setup, following error is seen in the version-checker logs:
time="2024-01-09T17:54:56Z" level=error msg="error syncing 'argus-publisher-387p426c44-n5pwl/lz': failed to sync pod argus-publisher-387p426c44-n5pwl/lz: failed to check container image \"argus-metrics\": failed to get tags from remote registry for \"1484434948134dkr.ecr.us-west-2.amazonaws.com/custom/argus-metrics\": failed to describe images: AccessDeniedException: User: arn:aws:sts::607038281239:assumed-role/de2-fra5-zpa-eks-version-checker/1704822283073328680 is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:eu-central-1:1484434948134dkr:repository/custom/argus-metrics because no resource-based policy allows the ecr:DescribeImages action\n\tstatus code: 400, request id: a28df8d3-b5cf-482b-ba79-3c318296b203, requeuing" module=controller
As seen in the above error the ECR arn is incorrectly refrenced as arn:aws:ecr:eu-central-1:1484434948134dkr:repository/custom/argus-metrics instead of arn:aws:ecr:us-west-2:1484434948134dkr:repository/custom/argus-metrics
Issue
version-checker application runs as part of EKS cluster in eu-central-1 region. The ECR repository that it tries to get the tags from located in a seperate AWS account in us-west-2 region. With this setup, following error is seen in the version-checker logs:
time="2024-01-09T17:54:56Z" level=error msg="error syncing 'argus-publisher-387p426c44-n5pwl/lz': failed to sync pod argus-publisher-387p426c44-n5pwl/lz: failed to check container image \"argus-metrics\": failed to get tags from remote registry for \"1484434948134dkr.ecr.us-west-2.amazonaws.com/custom/argus-metrics\": failed to describe images: AccessDeniedException: User: arn:aws:sts::607038281239:assumed-role/de2-fra5-zpa-eks-version-checker/1704822283073328680 is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:eu-central-1:1484434948134dkr:repository/custom/argus-metrics because no resource-based policy allows the ecr:DescribeImages action\n\tstatus code: 400, request id: a28df8d3-b5cf-482b-ba79-3c318296b203, requeuing" module=controller
As seen in the above error the ECR arn is incorrectly refrenced as
arn:aws:ecr:eu-central-1:1484434948134dkr:repository/custom/argus-metrics
instead ofarn:aws:ecr:us-west-2:1484434948134dkr:repository/custom/argus-metrics
Ref: https://github.com/jetstack/version-checker/blob/main/pkg/client/ecr/ecr.go#L42-L49
The text was updated successfully, but these errors were encountered: