Unauthorized error on public ECR repository about version-checker HOT 3 OPEN

Hello ***,

*** here from AWS support! It was nice speaking with you over the call today. Please find below a quick recap of our discussion.

You reached out to us as you are unable to describe images from the AWS owned EKS private ECR repository "***.dkr.ecr.us-west-2.amazonaws.com".

----
failed to describe images: AccessDeniedException: User: *** is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-west-2:***:repository/eks/aws-ebs-csi-driver because no resource-based policy allows the ecr:DescribeImages action
----

In order to assist you better, I tried to replicate use-case in my internal account. I logged into the AWS Public ECR repository "***.dkr.ecr.us-west-2.amazonaws.com". After that I tried to describe the images from the repository and got the similar errors as shown below:

----
aws  ecr  describe-images --registry-id *** --repository-name ***.dkr.ecr.us-west-2.amazonaws.com --region us-west-2

An error occurred (AccessDeniedException) when calling the DescribeImages operation: User: arn:aws:sts::***:assumed-role/Admin is not authorized to perform: ecr:DescribeImages on resource: arn:aws:ecr:us-west-2:***:repository/***.dkr.ecr.us-west-2.amazonaws.com because no resource-based policy allows the ecr:DescribeImages action
----

I further tried to pull the images from this repository and I was able to download the image successfully. 

Therefore, I checked internally and found that users do not have access/permissions to list/query the Amazon's ECR repositories ( for example:- ***.dkr.ecr.us-west-2.amazonaws.com). They only have pull access to download the images from the Amazon's ECR repositories.

However, If you still would like to get the detailed information about the Amazon's ECR images, then You first have to download that image and push the same image to your own ECR repositories as shown below:-

----
1. $ docker tag ***.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.0 <tag>

2. $ docker push <image>

3. $ aws ecr describe-images --registry-id <repository> --image-ids imageTag=controller-v2.4.0 --region us-west-2

{
    "imageDetails": [
        {
            "registryId": "",
            "repositoryName": "",
            "imageDigest": "sha256:618bf3158323a641e4e6a79d3879dd8439776a4d8fdbb32ba8c1d6c3295c582e",
            "imageTags": [
                "controller-v2.4.0"
            ],
            "imageSizeInBytes": 18961873,
            "imagePushedAt": 1655874766.0,
----

I hope the above information will be helpful. Should you have any further concerns or issue regarding this case feel free to let me know I'll be more than happy to help you. I will keep this case in Pending for now and will set it to resolve by Monday.

Thank you and have a great day ahead!

We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence.

Best regards,
***
Amazon Web Services

[root@ip-192-168-246-14 /]# TOKEN=$(curl -k https://public.ecr.aws/token/ | jq -r '.token')
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1625  100  1625    0     0   5811      0 --:--:-- --:--:-- --:--:--  5803
[root@ip-192-168-246-14 /]# curl -k -H "Authorization: Bearer $TOKEN" https://public.ecr.aws/v2/eks/aws-load-balancer-controller/tags/list | jq . | head
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1353  100  1353    0     0   3822      0 --:--:-- --:--:-- --:--:--  3832
{
  "name": "eks/aws-load-balancer-controller",
  "tags": [
    "v2.4.1",
    "v2.5.4-linux_amd64",
    "v2.4.7",
    "v2.3.0-linux_amd64",
    "v2.5.1",
    "v2.5.2-linux_arm64",
    "v2.5.4",