AWS Docker deployment

Question

I have a custom docker image uploaded to ECS. I opened up the permissions to try and get through this issue (I will lock it down again once I can get this to work). I am attempting to deploy the docker image to elastic beanstalk. I have a docker enabled elastic beanstalk environment set up. According to the AWS docs, if I am pulling my image from within AWS, I don't need to pass in credentials. So I upload my Dockerrun.aws.json file and attempt to install it. It fails with the error:

Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry '434875166128' in 'us-east-1'. Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed. For more detail, check /var/log/eb-activity.log using console or EB CLI.

The /var/log/eb-activity.log information has nothing useful in it.

Here's my Dockerrun.aws.json file:

{
  "AWSEBDockerrunVersion": "1",
  "Image": {
  "Name": "{id000xxxx}.dkr.ecr.us-east-1.amazonaws.com/my-repo:1.0.0",
  "Update": "true"
  },
  "Ports": [
    {
      "ContainerPort": "4000"
    }
  ],
  "Logging": "/var/log/app-name"
}

I have also tried adding the authentication with the dockercfg.json file in S3. It didn't work for me either.

Note that I am using a business account instead of a personal account, so there may be some unknown variances as well.

Thanks!

Update: My user has full permissions at the moment too, so there shouldn't be anything permission-wise getting in the way.

Check the ECR repository settings/permissions like here: https://media.amazonwebservices.com/blog/2015/ecr_permissions_1.png — Marc Young, Aug 24 '16 at 10:47
Also make sure that the IAM role attached to beanstalk (the instance running the pull) has access to both ECR and ECS via IAM permissions: http://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_IAM_policies.html — Marc Young, Aug 24 '16 at 10:48
Thanks @MarcYoung. I did have those set up properly already. — Nick Allen, Aug 25 '16 at 16:12
@NickAllen I'm having this problem too, any update? I have both the "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role" given all permissions on the repository. — Ian Walter, Sep 10 '16 at 17:37
@IanWalter Unfortunately I do not. I've put this on the back burner for now. Hopefully someone comes along with the solution at some point in time. — Nick Allen, Sep 12 '16 at 22:51

score 88 · Accepted Answer · answered Oct 20 '16 at 14:27

88

I was having the same problem.

Solution: In AWS -> IAM -> Roles - > pick the role your beanstalk is using.

In my case it was set to aws-elasticbeanstalk-ec2-role

Under Permissions for the role, attach policy: AmazonEC2ContainerRegistryReadOnly

In ECR there is no need to give any permissions to this role.

answered Oct 20 '16 at 14:27

Anter

1,025
9
7

You're awesome! This is exactly what I was missing. – Nick Allen Oct 20 '16 at 18:57
7

`aws-elasticbeanstalk-ec2-role` is the default instance profile when you launch an environment in the AWS Elastic Beanstalk management console. -- http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html – Robert Claypool Dec 13 '16 at 16:10
LInk to documentation where the permission `AmazonEC2ContainerRegistryReadOnly` is used: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html – Amio.io Aug 31 '17 at 07:31

score 1 · Answer 2 · answered Aug 26 '22 at 18:27

Assuming

You are using Terraform to provision your infrastructure
You have created a sample ElasticBeanstalk app at least once, so that you have the default role created.
The default ElasticBeanstalk role is named: aws-elasticbeanstalk-ec2-role

Then you can comfortably use the following format to add ECR Read Only policy to the role:

data "aws_iam_role" "elastic_beanstalk_role" {
  name = "aws-elasticbeanstalk-ec2-role"
}

resource "aws_iam_policy" "ebs_ecr_policy" {
  name        = "aws-elasticbeanstalk-ec2-ecr-policy"
  description = "Enable elastic-beanstalk to be able to access ECR repository with images"
  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "ebs_ecr-policy-attach" {
  name       = "ebs-ecr-policy-attachment"
  roles      = [data.aws_iam_role.elastic_beanstalk_role.name]
  policy_arn = aws_iam_policy.ebs_ecr_policy.arn
}

This way you can manage updates to the role and policy from your infrastructure code.

score 0 · Answer 3 · answered Nov 22 '17 at 22:46

You can intialize necessary service roles for elastic beanstalk (aws-elasticbeanstalk-ec2-role , aws-elasticbeanstalk-service-role , AWSServiceRoleForECS ) by using the new console of Elastic Beanstalk. You have to do this only one time on each AWS account :

Go to the Elastic beanstalk console.
Accept the "new design" : in the top of the console, if see a message "we re testing a new design", optin to accept to use the new version of the console. Warning, it seems you cant rollback to the old console.
Start the Create New Application wizard, and use a default sample application in the technology.
Complete all the step of the wizard until the resume, and look at the Security pannel : you will see the two roles "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role". And terminate the wizard to create the sample app.
After a while, the application should be running
In case of emergency, go to the IAM console and delete the roles aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role and run the wizard again.

I fixed the "Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry" and an other strange error ("The AWS Access Key Id you provided does not exist in our records. (ElasticBeanstalk::ManifestDownloadError)") by using the NEW console. I still had this error with the old one.

AWS Docker deployment

3 Answers3