kubectl pod fails to pull down an AWS ECR image

6
votes

step 1 sudo $(aws ecr get-login --no-include-email --region xx-xxxx-x)

step 2 curl -LSs https://github.com/fermayo/ecr-k8s-secret/raw/master/gen-secret.sh | bash -

step 3 kubectl describe secret aws-ecr-credentials

Name:         aws-ecr-credentials
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data

.dockerconfigjson:  32 bytes

step 4 kubectl describe pod x

Warning Failed 5s kubelet, ip-10-46-250-151 Failed to pull image "my-account.dkr.ecr.us-east-1.amazonaws.com/my-image:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://my-account.dkr.ecr.us-east-1.amazonaws.com/my-image/latest: no basic auth credentials

Why can't the pod pull down the image?

3
kubernetesaws-ecr
Create a deployment.yml and set imagePullSecretsDominikHelps
How did you deploy this particular pod? Did you use any deployment.yml fileHansika Weerasena

3 Answers

13
votes

Created a script that pulls the token from AWS-ECR

ACCOUNT=xxxxxxxxxxxx
REGION=xx-xxxx-x
SECRET_NAME=${REGION}-ecr-registry
[email protected]

#
#

TOKEN=`aws ecr --region=$REGION get-authorization-token --output text \
    --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`

#
#  Create or replace registry secret
#


kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
    --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
    --docker-username=AWS \
    --docker-password="${TOKEN}" \
    --docker-email="${EMAIL}"

and created a Linux cronjob to run this every 10 hours

1
votes

Your Deployment manifest will need to specify that the container registry credentials are in a secret. This is as simple as adding imagePullSecrets:

apiVersion: v1
kind: Deployment
metadata:
  name: deployment-name
spec:
  containers:
  - image: your-registry/image/name:tag
  imagePullSecrets:
  - name: secret-name
1
votes

I too was banging my head on this and realized it was a region mismatch. I was getting my token from us-east-2 when the image is located in us-west-2.

Snippet from https://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html#error-403

There are times when you may receive an HTTP 403 (Forbidden) error, or the error message no basic auth credentials from the docker push command, even if you have successfully authenticated to Docker using the aws ecr get-login command. The following are some known causes of this issue:

You have authenticated to a different region Authentication requests are tied to specific regions, and cannot be used across regions. For example, if you obtain an authorization token from US West (Oregon), you cannot use it to authenticate against your repositories in US East (N. Virginia). To resolve the issue, ensure that you are using the same region for both authentication and docker push command calls.