Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Elastic Beanstalk - CannotPullECRContainerError not authorized to perform: ecr:GetAuthorizationToken

0

Hello, I am trying to migrate an Dockerized legacy Java solution into AWS. I have sucessfully created and pushed the docker images for the 3 services into a Private repository in ECR.

I am now trying to run those by using AWS Beanstalk. I followed the documentation and created the following Dockerrun.aws.json:

{
    "AWSEBDockerrunVersion": 2,
    "containerDefinitions": [
        {
            "name": "local-redis",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/local-redis:7.2.1",
            "portMappings": [
                {
                    "hostPort": 6379,
                    "containerPort": 6379
                }
            ],
            "essential": true,
            "memory": 1024
        },
        {
            "name": "meet-margo-app",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/customer-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8080,
                    "containerPort": 9851
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        },
        {
            "name": "meet-margo-admin",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/admin-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8081,
                    "containerPort": 9852
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        }
    ]
}

The commands eb init and eb create run successfully and I am able to see the created Enviroment and Application in Beanstalk, and a valid EC2 instance. However the Health status moves to Severe and the logs indicate that no ECS tasks were created. This is the error I can see:

 {
 "containerArn": "arn:aws:ecs:REGION-2:ARN:container/awseb-MYAPI",
 "taskArn": "arn:aws:ecs:REGION-2:ARN:task/awseb-MYAPI",
 "name": "local-redis",
 "image": "ARN.dkr.ecr.REGION-2.amazonaws.com/local-redis:7.2.1",
 "lastStatus": "STOPPED",
 "reason": "CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::ARN:assumed-role/aws-elasticbeanstalk-ec2-role/ is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allo",
 "healthStatus": "UNKNOWN",
 "memory": "1024",
 "cpu": "0",
 "networkInterfaces": []
 }

I double checked, and the IAM user I am using has the following permissions:

AdministratorAccess
AdministratorAccess-AWSElasticBeanstalk
AmazonEC2ContainerRegistryFullAccess
AmazonEC2FullAccess
AWSElasticBeanstalkMulticontainerDocker
AWSElasticBeanstalkRoleECS
EC2InstanceProfileForImageBuilderECRContainerBuilds

And I noticed that EC2InstanceProfileForImageBuilderECRContainerBuilds has "ecr:GetAuthorizationToken", so I am unsure what else am I missing. Has anyone encountered this error and would be able to help me?

Would anyone know what else

Themen
KalkulationBehälter
Tags
AWS Elastic BeanstalkAmazon EC2Amazon Elastischer Container-Registry (ECR)Amazon Elastischer Container-ServiceBehälter
Sprache
English
Laura
gefragt vor 7 Monaten150 Aufrufe
Keine Antworten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt