AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Amazon CodeCatalyst not pulling ECR image

0

I'm trying to use a private image from ECR, i have configured the IAM Role with AdministratorAccess and TrustedPolicy as next:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToCodeCatalyst",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "codecatalyst-runner.amazonaws.com",
                    "codecatalyst.amazonaws.com",
                    "codebuild.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:codecatalyst:::space/xxxx",
                        "arn:aws:codecatalyst:::space/xxxx/project/*"
                    ]
                }
            }
        }
    ]
}

In the Build configuration i used:

Configuration:
      Container:
        Registry: ECR
        Image: xxxx.dkr.ecr.us-east-1.amazonaws.com/my_image

But i'm getting this error in the logs: CLIENT_ERROR: Unable to pull customer's container image

トピック
コンテナセキュリティ、アイデンティティ、コンプライアンス開発者用ツールDevOps
タグ
Amazon Elastic Container ServiceコンテナIAM ポリシーAmazon CodeCatalyst
言語
English
mmellaa
質問済み 2ヶ月前377ビュー
2回答
0

You added CodeBuild as a principle. Does it perform the pull? Did you check, if CodeBuild's access rights are set up correctly? You can also try to identify the request's CloudTrail event to see if the ARN that performs the blocked request is matching your condition.

AWS
Markus_K
回答済み 2ヶ月前
  • mmellaa
    2ヶ月前

    Thanks Markus I'm checking Cloudtrail but i don't see any logs related to ECR.

-1

In order to use private ECR image, you need to update role used in configuration of workflow with below policy that add permissions to fetch ECR image.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        }
    ]
}

You can restrict resource to specific ECR repository in your case. You can get additional details at https://docs.aws.amazon.com/codecatalyst/latest/userguide/build-images.html#build-images-specify

profile pictureAWS
Ashish Bhatt
回答済み 2ヶ月前
profile picture
エキスパート
Giovanni Lauria
レビュー済み 2ヶ月前
  • mmellaa
    2ヶ月前

    AdministratorAccess includes the permissions you are sharing:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "", "Resource": "" }]}

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ