44

I have a custom docker image uploaded to ECS. I opened up the permissions to try and get through this issue (I will lock it down again once I can get this to work). I am attempting to deploy the docker image to elastic beanstalk. I have a docker enabled elastic beanstalk environment set up. According to the AWS docs, if I am pulling my image from within AWS, I don't need to pass in credentials. So I upload my Dockerrun.aws.json file and attempt to install it. It fails with the error:

Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry '434875166128' in 'us-east-1'. Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed. For more detail, check /var/log/eb-activity.log using console or EB CLI.

The /var/log/eb-activity.log information has nothing useful in it.

Here's my Dockerrun.aws.json file:

{
  "AWSEBDockerrunVersion": "1",
  "Image": {
  "Name": "{id000xxxx}.dkr.ecr.us-east-1.amazonaws.com/my-repo:1.0.0",
  "Update": "true"
  },
  "Ports": [
    {
      "ContainerPort": "4000"
    }
  ],
  "Logging": "/var/log/app-name"
}

I have also tried adding the authentication with the dockercfg.json file in S3. It didn't work for me either.

Note that I am using a business account instead of a personal account, so there may be some unknown variances as well.

Thanks!

Update: My user has full permissions at the moment too, so there shouldn't be anything permission-wise getting in the way.

Improve this question
5
  • Check the ECR repository settings/permissions like here: media.amazonwebservices.com/blog/2015/ecr_permissions_1.png Commented Aug 24, 2016 at 10:47
  • Also make sure that the IAM role attached to beanstalk (the instance running the pull) has access to both ECR and ECS via IAM permissions: docs.aws.amazon.com/AmazonECR/latest/userguide/… Commented Aug 24, 2016 at 10:48
  • Thanks @MarcYoung. I did have those set up properly already. Commented Aug 25, 2016 at 16:12
  • @NickAllen I'm having this problem too, any update? I have both the "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role" given all permissions on the repository. Commented Sep 10, 2016 at 17:37
  • @IanWalter Unfortunately I do not. I've put this on the back burner for now. Hopefully someone comes along with the solution at some point in time. Commented Sep 12, 2016 at 22:51

3 Answers 3

Reset to default
88

I was having the same problem.

Solution: In AWS -> IAM -> Roles - > pick the role your beanstalk is using.

In my case it was set to aws-elasticbeanstalk-ec2-role

Under Permissions for the role, attach policy: AmazonEC2ContainerRegistryReadOnly

In ECR there is no need to give any permissions to this role.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You're awesome! This is exactly what I was missing.
aws-elasticbeanstalk-ec2-role is the default instance profile when you launch an environment in the AWS Elastic Beanstalk management console. -- docs.aws.amazon.com/elasticbeanstalk/latest/dg/…
LInk to documentation where the permission AmazonEC2ContainerRegistryReadOnly is used: docs.aws.amazon.com/elasticbeanstalk/latest/dg/…
1

Assuming

  1. You are using Terraform to provision your infrastructure
  2. You have created a sample ElasticBeanstalk app at least once, so that you have the default role created.
  3. The default ElasticBeanstalk role is named: aws-elasticbeanstalk-ec2-role

Then you can comfortably use the following format to add ECR Read Only policy to the role:

data "aws_iam_role" "elastic_beanstalk_role" {
  name = "aws-elasticbeanstalk-ec2-role"
}

resource "aws_iam_policy" "ebs_ecr_policy" {
  name        = "aws-elasticbeanstalk-ec2-ecr-policy"
  description = "Enable elastic-beanstalk to be able to access ECR repository with images"
  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "ebs_ecr-policy-attach" {
  name       = "ebs-ecr-policy-attachment"
  roles      = [data.aws_iam_role.elastic_beanstalk_role.name]
  policy_arn = aws_iam_policy.ebs_ecr_policy.arn
}

This way you can manage updates to the role and policy from your infrastructure code.

Improve this answer

Comments

0

You can intialize necessary service roles for elastic beanstalk (aws-elasticbeanstalk-ec2-role , aws-elasticbeanstalk-service-role , AWSServiceRoleForECS ) by using the new console of Elastic Beanstalk. You have to do this only one time on each AWS account :

  • Go to the Elastic beanstalk console.
  • Accept the "new design" : in the top of the console, if see a message "we re testing a new design", optin to accept to use the new version of the console. Warning, it seems you cant rollback to the old console.
  • Start the Create New Application wizard, and use a default sample application in the technology.
  • Complete all the step of the wizard until the resume, and look at the Security pannel : you will see the two roles "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role". And terminate the wizard to create the sample app.
  • After a while, the application should be running
  • In case of emergency, go to the IAM console and delete the roles aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role and run the wizard again.

I fixed the "Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry" and an other strange error ("The AWS Access Key Id you provided does not exist in our records. (ElasticBeanstalk::ManifestDownloadError)") by using the NEW console. I still had this error with the old one.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.