Unable to pull image from amazon ECS private repository on container instances running in ECS cluster

0
votes

I have created a NON default cluster on AWS ECS and I am able to pull docker images from docker public repository and run it too for testing.

I then created a ECS private repo and built and pushed an image to this repository and it succeeds. But when I try to pull it manually using docker pull, it complains with following error:

Error response from daemon: Get https://532193077341.dkr.ecr.ap-south-1.amazonaws.com/v2/12r/manifests/latest: no basic auth credentials

It seems to be an issue with IAM roles and permissions but I am not sure which role/policy to change.

2
amazon-web-servicesdockeramazon-ecs
how can you push image into ECS private repo ? Is it ECR ? - sayboras
@Apolozeus yeah I can push the images to ECS private repo. - Divick
can you check if you have ecr:GetDownloadUrlForLayer, ecr:BatchGetImage and ecr:BatchCheckLayerAvailability permission ? - sayboras

2 Answers

1
votes

In your ECS container (task) definition

If you are using a private ECR repository:

Do not check Private repository authentication option, as ECR doesn't use username-password authentication, it will use the IAM role/user permissions. Then, just make sure that the ECS IAM role (called ecsTaskExecutionRole by default) have permissions to pull images from ECR, which if it doesn't add these lines yourself:

"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",

If you are using a non-ECR private repository:

Check Private repository authentication option and give your username-password using Secrets Manager

0
votes

You need to authenticate against ECR first. Local AWS credentials on their own aren't enough to allow you to pull from a private ECR repository. Try something like this beforehand:

$(aws ecr get-login --registry-ids <YOUR-ID> --region <YOUR-REGION>)

Which will perform a docker login for you against ECR, allowing you to pull private images (assuming your local AWS credentials have the required permission).

For more information, see "Step 1: Authenticate Docker to your Default Registry" within the Amazon ECR Documentation.