Elastic Beanstalk - CannotPullECRContainerError not authorized to perform: ecr:GetAuthorizationToken

Hello, I am trying to migrate an Dockerized legacy Java solution into AWS. I have sucessfully created and pushed the docker images for the 3 services into a Private repository in ECR.

I am now trying to run those by using AWS Beanstalk. I followed the documentation and created the following Dockerrun.aws.json:

{
    "AWSEBDockerrunVersion": 2,
    "containerDefinitions": [
        {
            "name": "local-redis",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/local-redis:7.2.1",
            "portMappings": [
                {
                    "hostPort": 6379,
                    "containerPort": 6379
                }
            ],
            "essential": true,
            "memory": 1024
        },
        {
            "name": "meet-margo-app",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/customer-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8080,
                    "containerPort": 9851
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        },
        {
            "name": "meet-margo-admin",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/admin-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8081,
                    "containerPort": 9852
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        }
    ]
}

The commands eb init and eb create run successfully and I am able to see the created Enviroment and Application in Beanstalk, and a valid EC2 instance. However the Health status moves to Severe and the logs indicate that no ECS tasks were created. This is the error I can see:

 {
 "containerArn": "arn:aws:ecs:REGION-2:ARN:container/awseb-MYAPI",
 "taskArn": "arn:aws:ecs:REGION-2:ARN:task/awseb-MYAPI",
 "name": "local-redis",
 "image": "ARN.dkr.ecr.REGION-2.amazonaws.com/local-redis:7.2.1",
 "lastStatus": "STOPPED",
 "reason": "CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::ARN:assumed-role/aws-elasticbeanstalk-ec2-role/ is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allo",
 "healthStatus": "UNKNOWN",
 "memory": "1024",
 "cpu": "0",
 "networkInterfaces": []
 }

I double checked, and the IAM user I am using has the following permissions:

AdministratorAccess
AdministratorAccess-AWSElasticBeanstalk
AmazonEC2ContainerRegistryFullAccess
AmazonEC2FullAccess
AWSElasticBeanstalkMulticontainerDocker
AWSElasticBeanstalkRoleECS
EC2InstanceProfileForImageBuilderECRContainerBuilds

And I noticed that EC2InstanceProfileForImageBuilderECRContainerBuilds has "ecr:GetAuthorizationToken", so I am unsure what else am I missing. Has anyone encountered this error and would be able to help me?

Would anyone know what else

Argomenti

Computazionali Container

Tag

AWS Elastic Beanstalk Amazon EC2 Registro dei container di Amazon Elastic (ECR)Servizio container Amazon Elastic Container

Lingua

English

Laura

posta 7 mesi fa151 visualizzazioni

Nessuna risposta

Più recenti
Maggior numero di voti
Maggior numero di commenti

Contenuto pertinente

Come posso creare cron job su istanze Amazon EC2 in ambienti Elastic Beanstalk?
AWS UFFICIALEAggiornata 8 mesi fa
Come posso risolvere l'errore "Your current user or role does not have access to Kubernetes objects on this EKS cluster" in Amazon EKS?
AWS UFFICIALEAggiornata un anno fa
Come posso risolvere l'errore "User/IAM role X is not authorized to perform Y on resource Z" error in AWS Glue (L'utente/ruolo IAM X non è autorizzato a eseguire Y sulla risorsa Z in AWS Glue)?
AWS UFFICIALEAggiornata un anno fa
Come faccio a migrare il mio ambiente Elastic Beanstalk da un account AWS a un altro account AWS?
AWS UFFICIALEAggiornata 2 anni fa