I'm working with aws ecs service for the first time and running into some permission issues. I'm using terraform to create a task definition and service definition.
My task definitions json config:
[
{
"dnsSearchDomains": null,
"logConfiguration": null,
"portMappings": [
{
"containerPort": 80,
"hostPort": 0,
"protocol": "tcp"
}
],
"entryPoint": [
"httpd",
"-DFOREGROUND"
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": [
...my_secrets..
],
"dockerSecurityOptions": null,
"memory": 350,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "${api_image}",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "myApp"
}
]
The IAM role I create for the task definition iam_role.tf:
resource "aws_iam_role" "api" {
name = "api-${var.environment}"
assume_role_policy = "${file("../../policies/iam_ecs_role.json")}"
tags = {
terraform = true
}
}
# Attach SSM read only policy to read from param store.
resource "aws_iam_role_policy_attachment" "attach-ssm" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
}
# Attach policy to allow read and push from ECR.
resource "aws_iam_role_policy_attachment" "attach-ecs-task" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
# Attach policy to allow access to KSM to decrypt ssm values.
resource "aws_iam_role_policy_attachment" "attach-ksm" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
}
resource "aws_iam_role_policy_attachment" "attach-admin" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
And the policy json file from the previous role resource:
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ecs.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Effect": "Allow"
}
]
}
So the role I have has the following policy:
The issue I'm having is when I launch the deploy the service to the cluster I get the following error in in the tasks:
CannotPullContainerError: Error response from daemon: pull access denied for xxxxxxxxx.xxx.ecr.us-east-1.amazonaws.com/my-image, repository does not exist or may require 'docker login'
I can't seem to figure out why the task is having trouble pulling from ecr. The instance the container is launched on exists in a public subnet and has a public ip so it definitely has access to the internet. What am I missing here?
xxxxxxxx.xxx.ecr.us-east-1.amazonaws.com/my-image? Based on the error message it seems like you might just not be using the correct url for the repository. – theonlyrao