On-Demand instance in ECS with a organization account, failed to pull docker image from ECR

0
votes

I'm having trouble to start an ECS task on a On-Demand EC2. I have an AWS account that is a sub-account from a organization, and I've been unable to make the ECS agent pull the image from ECR, the task stops with the following error:

CannotPullContainerError: Error response from daemon: pull access denied

I've set the permissions on ECR for my account and the ecsInstanceRole. Also, I've already tried to set admin permissions for the iam roles, but no success.

What kind of permission do I need to have to allow the pull of the image?

1
amazon-web-servicesamazon-ec2amazon-iamamazon-ecs
This looks like it requires the ec2 user permission to read ecr image. - Prashant Lakhlani
It does, but the EC2 has an IAM role allowing full access to ECR. I've cleaned all roles and created the cluster with AWS Console, but still fails to pull the image. - Juliano Grams

1 Answers

0
votes

Please check whether you have RegisterContainerInstance for your account.