Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Amazon CodeCatalyst not pulling ECR image

0

I'm trying to use a private image from ECR, i have configured the IAM Role with AdministratorAccess and TrustedPolicy as next:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToCodeCatalyst",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "codecatalyst-runner.amazonaws.com",
                    "codecatalyst.amazonaws.com",
                    "codebuild.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:codecatalyst:::space/xxxx",
                        "arn:aws:codecatalyst:::space/xxxx/project/*"
                    ]
                }
            }
        }
    ]
}

In the Build configuration i used:

Configuration:
      Container:
        Registry: ECR
        Image: xxxx.dkr.ecr.us-east-1.amazonaws.com/my_image

But i'm getting this error in the logs: CLIENT_ERROR: Unable to pull customer's container image

Themen
BehälterSicherheit, Identität & KonformitätEntwicklertoolsDevOps
Tags
Amazon Elastischer Container-ServiceBehälterIAM-RichtlinienAmazon CodeCatalyst
Sprache
English
mmellaa
gefragt vor 2 Monaten376 Aufrufe
2 Antworten
0

You added CodeBuild as a principle. Does it perform the pull? Did you check, if CodeBuild's access rights are set up correctly? You can also try to identify the request's CloudTrail event to see if the ARN that performs the blocked request is matching your condition.

AWS
Markus_K
beantwortet vor 2 Monaten
  • mmellaa
    vor einem Monat

    Thanks Markus I'm checking Cloudtrail but i don't see any logs related to ECR.

-1

In order to use private ECR image, you need to update role used in configuration of workflow with below policy that add permissions to fetch ECR image.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        }
    ]
}

You can restrict resource to specific ECR repository in your case. You can get additional details at https://docs.aws.amazon.com/codecatalyst/latest/userguide/build-images.html#build-images-specify

profile pictureAWS
Ashish Bhatt
beantwortet vor 2 Monaten
profile picture
EXPERTE
Giovanni Lauria
überprüft vor 2 Monaten
  • mmellaa
    vor 2 Monaten

    AdministratorAccess includes the permissions you are sharing:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "", "Resource": "" }]}

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt