-1

I need help. I am storing one image in ECR private repo, and I need to use that in the ECS task definition, so with that, I run a new task under ECS. I tried with ecsTaskExecutionPolicy and secret manager, but still, it is not working. Can someone guide me on the correct way to use private repo under task definition in AWS?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "ssm:GetParameters",
            "secretsmanager:GetSecretValue"
        ],
        "Resource": [
            "arn:aws:secretsmanager:region:account:secret:secret-name"
        ]
    }
]}

I also attached the above policy to the task execution role, but it is still not working.

Gundeep Singh
  • 15
  • 6
  • 1
    "it is not working" - is not specific! What exactly is happening? What is your task definition? – Marcin Oct 14 '22 at 06:31
  • That IAM role in your question makes NO SENSE. It only allows GetSecretValue from Secrets Manager, the other actions you have listed don't actually apply since you aren't listing any SSM or KMS resources in the policy. But all of that is irrelevant, because nothing in the IAM policy has **ANYTHING** to do with ECR so it's entirely unclear why you even included the IAM role in your question. – Mark B Oct 14 '22 at 13:09
  • Because In AWS documentation, it's mentioned we need to add taskExecutionRole – Gundeep Singh Oct 14 '22 at 13:12

1 Answers1

0

Pulling images from the ECR repo doesn't require private authentication. You just need to add ECR repo permission to the ECS task execution IAM role and it will work.

https://aws.amazon.com/premiumsupport/knowledge-center/ecs-tasks-pull-images-ecr-repository/

Kapil
  • 16
  • If I didn't check the private checkbox, it successfully creates the task definition, but when I run the task, it gives me an error of No container instance is found; how can I solve this error? – Gundeep Singh Oct 14 '22 at 13:15
  • You need to launch the ECS-optimized AMI instance first and then it will be picked by the cluster for running the task. Please refer to the doc - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html – Kapil Oct 14 '22 at 14:52