AWS Docker deployment

38
votes

I have a custom docker image uploaded to ECS. I opened up the permissions to try and get through this issue (I will lock it down again once I can get this to work). I am attempting to deploy the docker image to elastic beanstalk. I have a docker enabled elastic beanstalk environment set up. According to the AWS docs, if I am pulling my image from within AWS, I don't need to pass in credentials. So I upload my Dockerrun.aws.json file and attempt to install it. It fails with the error:

Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry '434875166128' in 'us-east-1'. Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed. For more detail, check /var/log/eb-activity.log using console or EB CLI.

The /var/log/eb-activity.log information has nothing useful in it.

Here's my Dockerrun.aws.json file:

{
  "AWSEBDockerrunVersion": "1",
  "Image": {
  "Name": "{id000xxxx}.dkr.ecr.us-east-1.amazonaws.com/my-repo:1.0.0",
  "Update": "true"
  },
  "Ports": [
    {
      "ContainerPort": "4000"
    }
  ],
  "Logging": "/var/log/app-name"
}

I have also tried adding the authentication with the dockercfg.json file in S3. It didn't work for me either.

Note that I am using a business account instead of a personal account, so there may be some unknown variances as well.

Thanks!

Update: My user has full permissions at the moment too, so there shouldn't be anything permission-wise getting in the way.

2
amazon-web-servicesdockeramazon-elastic-beanstalkamazon-ecs
Check the ECR repository settings/permissions like here: media.amazonwebservices.com/blog/2015/ecr_permissions_1.pngMarc Young
Also make sure that the IAM role attached to beanstalk (the instance running the pull) has access to both ECR and ECS via IAM permissions: docs.aws.amazon.com/AmazonECR/latest/userguide/…Marc Young
Thanks @MarcYoung. I did have those set up properly already.Nick Allen
@NickAllen I'm having this problem too, any update? I have both the "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role" given all permissions on the repository.Ian Walter
@IanWalter Unfortunately I do not. I've put this on the back burner for now. Hopefully someone comes along with the solution at some point in time.Nick Allen

2 Answers

74
votes

I was having the same problem.

Solution: In AWS -> IAM -> Roles - > pick the role your beanstalk is using.

In my case it was set to aws-elasticbeanstalk-ec2-role

Under Permissions for the role, attach policy: AmazonEC2ContainerRegistryReadOnly

In ECR there is no need to give any permissions to this role.

0
votes

You can intialize necessary service roles for elastic beanstalk (aws-elasticbeanstalk-ec2-role , aws-elasticbeanstalk-service-role , AWSServiceRoleForECS ) by using the new console of Elastic Beanstalk. You have to do this only one time on each AWS account :

  • Go to the Elastic beanstalk console.
  • Accept the "new design" : in the top of the console, if see a message "we re testing a new design", optin to accept to use the new version of the console. Warning, it seems you cant rollback to the old console.
  • Start the Create New Application wizard, and use a default sample application in the technology.
  • Complete all the step of the wizard until the resume, and look at the Security pannel : you will see the two roles "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role". And terminate the wizard to create the sample app.
  • After a while, the application should be running
  • In case of emergency, go to the IAM console and delete the roles aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role and run the wizard again.

I fixed the "Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry" and an other strange error ("The AWS Access Key Id you provided does not exist in our records. (ElasticBeanstalk::ManifestDownloadError)") by using the NEW console. I still had this error with the old one.