Fargate Task in ECS is not able to pull image from ECR repository using ECR interface endpoints

0
votes

I am facing issue with pulling docker image from ECR repository and getting error - CannotPullContainerError: Error response from daemon

In my VPC, i have a private subnet which doesnt have NAT gateway connected. Hence to access ECR, i have created the below ECR interface endpoints and s3 endpoint and associated the private subnet with them,

  1. com.amazonaws.region.ecr.api
  2. com.amazonaws.region.ecr.dkr
  3. com.amazonaws.region.s3

I also updated the repository policy to below,

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "AllowPushPull",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::account-id:root"
        },
        "Action": [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage",
            "ecr:InitiateLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:CompleteLayerUpload"
        ]
    }
]

}

I also updated the fargate task security group to allow 443 port from vpc range. But still, am facing the same issue and unable to pull image. Can you please help with the same?

2
amazon-web-servicesamazon-ecsaws-fargateamazon-ecr
What about your task execution policy?Marcin

2 Answers

0
votes

I think if your VPC endpoint is correct, You might need to add the below permission with above permission.

"ecr:GetAuthorizationToken"

Thanks

Ashish Bhatia

0
votes

The issue got resolved after changing DHCP options to add AmazonProvidedDNS and also adding cloudwatch logs endpoint.

Might help someone!