En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Elastic Beanstalk - CannotPullECRContainerError not authorized to perform: ecr:GetAuthorizationToken

0

Hello, I am trying to migrate an Dockerized legacy Java solution into AWS. I have sucessfully created and pushed the docker images for the 3 services into a Private repository in ECR.

I am now trying to run those by using AWS Beanstalk. I followed the documentation and created the following Dockerrun.aws.json:

{
    "AWSEBDockerrunVersion": 2,
    "containerDefinitions": [
        {
            "name": "local-redis",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/local-redis:7.2.1",
            "portMappings": [
                {
                    "hostPort": 6379,
                    "containerPort": 6379
                }
            ],
            "essential": true,
            "memory": 1024
        },
        {
            "name": "meet-margo-app",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/customer-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8080,
                    "containerPort": 9851
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        },
        {
            "name": "meet-margo-admin",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/admin-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8081,
                    "containerPort": 9852
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        }
    ]
}

The commands eb init and eb create run successfully and I am able to see the created Enviroment and Application in Beanstalk, and a valid EC2 instance. However the Health status moves to Severe and the logs indicate that no ECS tasks were created. This is the error I can see:

 {
 "containerArn": "arn:aws:ecs:REGION-2:ARN:container/awseb-MYAPI",
 "taskArn": "arn:aws:ecs:REGION-2:ARN:task/awseb-MYAPI",
 "name": "local-redis",
 "image": "ARN.dkr.ecr.REGION-2.amazonaws.com/local-redis:7.2.1",
 "lastStatus": "STOPPED",
 "reason": "CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::ARN:assumed-role/aws-elasticbeanstalk-ec2-role/ is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allo",
 "healthStatus": "UNKNOWN",
 "memory": "1024",
 "cpu": "0",
 "networkInterfaces": []
 }

I double checked, and the IAM user I am using has the following permissions:

AdministratorAccess
AdministratorAccess-AWSElasticBeanstalk
AmazonEC2ContainerRegistryFullAccess
AmazonEC2FullAccess
AWSElasticBeanstalkMulticontainerDocker
AWSElasticBeanstalkRoleECS
EC2InstanceProfileForImageBuilderECRContainerBuilds

And I noticed that EC2InstanceProfileForImageBuilderECRContainerBuilds has "ecr:GetAuthorizationToken", so I am unsure what else am I missing. Has anyone encountered this error and would be able to help me?

Would anyone know what else

Sujets
CalculConteneurs
Balises
AWS Elastic BeanstalkAmazon EC2Registre de conteneurs élastique Amazon (ECR)Service de conteneur élastique AmazonConteneurs
Langue
English
Laura
demandé il y a 7 mois151 vues
Aucune réponse

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents