How do I allow Amazon ECS tasks to pull images from an Amazon ECR image repository?

3 minutos de lectura
0

How do I allow Amazon Elastic Container Service (Amazon ECS) tasks to pull images from an Amazon Elastic Container Registry (Amazon ECR) image repository?

Short description

To access the Amazon ECR image repository with your launch type, choose one of these options:

  • For Amazon Elastic Compute Cloud (Amazon EC2) launch types, you must provide permissions to ecsTaskExecutionRole or the instance profile associated with the container instance. However, it's always a best practice to provide Amazon ECR permissions to ecsTaskExecutionRole. If permissions are provided to both the instance and the role, then ecsTaskExecutionRole takes precedence.
  • For AWS Fargate launch types, you must grant your Amazon ECS task execution role permission to access the Amazon ECR image repository.

Resolution

For EC2 launch types

  1. Open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. Choose the AWS service role type.
  4. In the Use Case section, select EC2. Then, select Next.
  5. Choose the default AmazonEC2ContainerServiceforEC2Role managed policy, and then choose Next.
    Note: The AmazonEC2ContainerServiceforEC2Role policy also allows you to register container instances to your ECS cluster and enable log streams in Amazon CloudWatch.
  6. Add tags to your policy, if desired, and then choose Next.
  7. For Role name, enter a unique name (such as ECSRoleforEC2), and then choose Create role.
  8. Launch a new container instance using the latest Amazon ECS-optimized Amazon Linux AMI.
  9. Attach the role that you created to the new container instance.
  10. Create a task definition.
    Important: In the containerDefinitions section of your task definition, specify the ECR image aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag as the image property.
  11. Run a task or a service using the task definition that you created in step 10.
  12. (Optional) If you don't want to provide permissions to an instance profile, give permissions to the ECS Task Execution Role. Then, run a task or a service using the task definition that you created in step 10.

For Fargate launch types

An Amazon ECS task execution role is automatically created in the Amazon ECS console first-run experience. If you can't find the role or the role is deleted, complete these steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. In the Select type of trusted entity section, choose Elastic Container Service.
  4. For Select your use case, choose Elastic Container Service Task, and then choose Next.
  5. In the Attach permissions policy section, search for AmazonECSTaskExecutionRolePolicy, select the policy, and then choose Next.
    Note: This policy also provides permissions to use the awslogs log driver.
  6. For the Role Name, enter ecsTaskExecutionRole, and then choose Create role.
  7. Create a task definition.
    Important: In the containerDefinitions section of your task definition, specify the ECR image aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag as the image property. Specify the IAM role created in step 6.
  8. Run a task or a service using the task definition that you created in step 7.

Your task or service can now pull images from the Amazon ECR image repository.


Related information

Using Amazon ECR Images with Amazon ECS

OFICIAL DE AWS
OFICIAL DE AWSActualizada hace 2 años