9
votes

I'm new to AWS and I'm trying to deploy a multicontainer Docker application to Elastic Beanstalk. My Dockerrun.aws.json file is very simple, and it's the only thing that's uploaded to EB:

{
  "AWSEBDockerrunVersion": 2,
  "containerDefinitions": [
    {
      "name": "mycontainer",
      "image": "somethingsomething.eu-central-1.amazonaws.com/myimage",
      "essential": true,
      "memory": 128
    }
  ]
}

In http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html it says that when using a Docker image uploaded to Amazon ECR:

You do, however, need to provide your instances with permission to access the images in your Amazon ECR repository by adding permissions to your environment's instance profile. You can attach the AmazonEC2ContainerRegistryReadOnly managed policy to the instance profile to provide read-only access to all Amazon ECR repositories in your account

When deploying the application, it raises the following error:

ECS task stopped due to: Essential container in task exited. (myimage: CannotPullContainerError: AccessDeniedException: User: arn:aws:sts::xxx:assumed-role/aws-elasticbeanstalk-ec2-role/i-xyz is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400, request id: 4143c35d-)

I added the AWSElasticBeanstalkReadOnlyAccess to the aws-elasticbeanstalk-ec2-role, but it doesn't change anything...

Help?!

2

2 Answers

23
votes

I'm not sure where it's written, but I needed to actually add the AmazonEC2ContainerRegistryReadOnly policy to aws-elasticbeanstalk-ec2-role. AmazonEC2ContainerRegistryReadOnly contains the GetAuthorizationToken action.

7
votes

per https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html#iam-instanceprofile-addperms

  1. open https://console.aws.amazon.com/iam/home#roles

  2. Choose aws-elasticbeanstalk-ec2-role

  3. On the Permissions tab, choose Attach policies.

  4. select AmazonEC2ContainerRegistryReadOnly

  5. Choose Attach policy