Problem:
When configuring a new ECR integration, it is possible that all configuration is completed per the instructions on the Snyk User Docs: https://docs.snyk.io/scan-using-snyk/snyk-container/snyk-container-integrations/integrate-with-amazon-elastic-container-registry-ecr
However the integration may still fail with the message:
Could not connect to ECR. Please ensure your credentials are correctly configured
Discussion:
This can be due to ECR returning a temporary credential failure:Cannot get temporary credentials: RegionDisabledException: STS is not activated in this region for account:{accountid}. Your account administrator can activate STS in this region using the IAM Console.
STS (Security Token Service) should, in general, be enabled by default, but if you've deactivated a region that is required in our process, you could run into this issue. The region we require is us-east-2
even if your ECR region is different.
Resolution:
You can follow either this step to restore the region to STS-enabled OR this step, depending on how it was deactivated. This is hard for us to say without knowing which method was used to deactivate STS in the region.
If this does not resolve the issue, please raise a ticket with Snyk Support for assistance so we can check the logs for your integration attempt.