AWS CLI ECR Permissions needed to push docker images


You have a new Amazon AWS Account you need to set up to be able to use the AWS CLI to be able to push Docker Images to AWS ECR.

For this, you need to find out the right permissions on the user account.


There are 2 parts to the solution:
1. You need the ECR related permissions to do the actions required
2. You need the CLI-related permissions to use an Access key on the machine building the image

ECR Related Permissions

Here I can only refer you to Amazons ECR Reference (1). Depending on your intended use case this is too extensive to define here.

CLI Related Permissions

To use the CLI to be able to push Docker images you need to set up your AWS CLI. For this you need to have 2 specific permissions set on the account you want to use:

  1. iam:ListAccessKey
  2. iam:CreateAccessKey

If you haven’t set up these permissions for the user, you first receive an error

  • User: arn:aws:iam::$IdOfAccount:user/$username is not authorized to perform: iam:ListAccessKeys on resource: user $username because no identity-based policy allows the iam:ListAccessKeys action

Set iam:ListAccessKey in the user permissions and kiss this message goodbye.

But then you run into the next error message

  • User: arn:aws:iam::$IdOfAccount:user:user/$username is not authorized to perform: iam:CreateAccessKey on resource: user null$username because no identity-based policy allows the iam:CreateAccessKey action

Now set iam:CreateAccessKey and kiss this error message on the website goodbye too.


Now you are able to list the existing Access Keys and create new ones (which is required to use the AWS CLI).

Go ahead and set up your AWS CLI!

Let me know if it helped you.





Leave a Reply