9

step 1 sudo $(aws ecr get-login --no-include-email --region xx-xxxx-x)

step 2 curl -LSs https://github.com/fermayo/ecr-k8s-secret/raw/master/gen-secret.sh | bash -

step 3 kubectl describe secret aws-ecr-credentials

Name:         aws-ecr-credentials
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  kubernetes.io/dockerconfigjson

Data

.dockerconfigjson:  32 bytes

step 4 kubectl describe pod x

Warning Failed 5s kubelet, ip-10-46-250-151 Failed to pull image "my-account.dkr.ecr.us-east-1.amazonaws.com/my-image:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://my-account.dkr.ecr.us-east-1.amazonaws.com/my-image/latest: no basic auth credentials

Why can't the pod pull down the image?

kenlukas
  • 3,616
  • 9
  • 25
  • 36
Barak
  • 411
  • 4
  • 6

3 Answers3

22

Created a script that pulls the token from AWS-ECR

ACCOUNT=xxxxxxxxxxxx
REGION=xx-xxxx-x
SECRET_NAME=${REGION}-ecr-registry
EMAIL=email@email.com

#
#

TOKEN=`aws ecr --region=$REGION get-authorization-token --output text \
    --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`

#
#  Create or replace registry secret
#


kubectl delete secret --ignore-not-found $SECRET_NAME
kubectl create secret docker-registry $SECRET_NAME \
    --docker-server=https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com \
    --docker-username=AWS \
    --docker-password="${TOKEN}" \
    --docker-email="${EMAIL}"

and created a Linux cronjob to run this every 10 hours

Amit Yadav
  • 4,422
  • 5
  • 34
  • 79
Barak
  • 411
  • 4
  • 6
  • 2
    worth noting: `--docker-email` is **required** for the kubernetes config to work, even though it is deprecated. it can be set to a bogus value like no@email.com. – tedder42 Jun 16 '19 at 04:11
  • 2
    This script is magical! Thank you so much. As an added bonus you can turn this script into a **kubectl plugin** by naming it **kubectl-ecr** and putting it in your path. You can then invoke the script directly from `kubectl` like this — `kubectl ecr`. – G. Rafael Nov 07 '19 at 17:09
3

Your Deployment manifest will need to specify that the container registry credentials are in a secret. This is as simple as adding imagePullSecrets:

apiVersion: v1
kind: Deployment
metadata:
  name: deployment-name
spec:
  containers:
  - image: your-registry/image/name:tag
  imagePullSecrets:
  - name: secret-name
Rawkode
  • 21,990
  • 5
  • 38
  • 45
  • Thanks i already have that included in my pod definition. see below apiVersion: v1 kind: Pod metadata: name: dc labels: name: DomainController location: typhoon spec: containers: - name: dc image: xxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/decs-dc:latest imagePullSecrets: - name: aws-ecr-credentials – Barak Dec 20 '18 at 16:38
  • thanks @rawkode; yours combined with barak's answer seems to be the missing pieces. – tedder42 Jun 16 '19 at 04:10
1

I too was banging my head on this and realized it was a region mismatch. I was getting my token from us-east-2 when the image is located in us-west-2.

Snippet from https://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html#error-403

There are times when you may receive an HTTP 403 (Forbidden) error, or the error message no basic auth credentials from the docker push command, even if you have successfully authenticated to Docker using the aws ecr get-login command. The following are some known causes of this issue:

You have authenticated to a different region Authentication requests are tied to specific regions, and cannot be used across regions. For example, if you obtain an authorization token from US West (Oregon), you cannot use it to authenticate against your repositories in US East (N. Virginia). To resolve the issue, ensure that you are using the same region for both authentication and docker push command calls.

user2566717
  • 51
  • 1