Docker push to AWS ECR private repo failing with malformed JSON
Ran into the same issue. For me, ensuring that the IAM user I was pushing as had the ecr:BatchCheckLayerAvailability
permission cleared this up.
I had originally intended to have a "push-only" policy and didn't realize this permission was required to push successfully.
Minimal policy you need:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" }, { "Sid": "", "Effect": "Allow", "Action": [ "ecr:UploadLayerPart", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:<your region>:<your account id>:repository/<your repository name>" } ]}
In addition to @Ethan's answer: I tried to find minimal set of permissions which are needed to push a docker image to AWS registry. As of today, the minimal set is:
{ "Sid": "PushToEcr", "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:CompleteLayerUpload", "ecr:GetAuthorizationToken", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Resource": "*" }
As far as I understood Resource
must be *
because some of those actions do not work otherwise.Improvements are welcome!