- Más nuevo
- Más votos
- Más comentarios
To close the loop on this. My issue was that I was pointing the docker client at the proxy, as well as the proxying endpoint. This was unnecessary. But there were a few additional things that were needed:
- To log in and to access the repo, it is necessary to use the proxied domain, not the ECR domain, in the
docker login
call - Once the login works, in order to pull, a proxy_redirect is necessary to write the URLs pointing to S3 for the layers. Ex:
proxy_redirect "https://prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com" "https://dkr-layer.example.com";
- Ensure the Host header is rewritten to the ECR domain in the nginx proxy config
Hope this helps others. Cheers!
I understand that you need to proxy requests to ECR. Reviewing the nginx configuration, I see that you are delegating the requests to "xxxxxxx.dkr.ecr.us-west-2.amazonaws.com".
Please note that ECR has two different VPC Endpoints -- com.amazonaws.us-east-1.ecr.api com.amazonaws.us-east-1.ecr.dkr
Ensure that you are passing requests to both of the ECR vpc endpoints. Coming to the error you are facing - "Bad Request" to ECR. Bad request error is usually observed when you pass the VPC Endpoint DNS name to the docker login command as shown in the example below:
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin vpce-xxxxxxxxxxxxxxx.dkr.ecr.us-west-2.vpce.amazonaws.com
When setting up vpc endpoints for ECR, if you had enabled "enable a private DNS hostname", then a private Route53 record is created in private host zones, which maps "<aws_account_id>.dkr.ecr.<region>.amazonaws.com" to private IP(s) of ECR VPC Endpoint. Therefore you will be able to use the below command
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.us-west-2.vpce.amazonaws.com
Unfortunately, we would not have ECR Logs that you can refer.
Considering, we need further information and Network specific details to be able to understand the exact reason for the error. Please feel free to open a support case with AWS Premium support to get further assistance.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
Thanks Praneel,
This isn't a VPC Endpoint issue, as I have both of the endpoints created and tested. I can also confirm that I can log in to the ECR from the proxy EC2 (which would use the VPCE) using:
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <ecr_id>.dkr.ecr.us-west-2.vpce.amazonaws.
I have also added a Host header to the proxy config
proxy_set_header Host <ecr_id>.dkr.ecr.us-west-2.amazonaws.com;
Still getting the same result.
I've read that there are several people who have accomplished this, and have tried as much as I could.
I'll open a request. Thanks.