How do I resolve the "error pulling image configuration: error parsing HTTP 403 response body" error in Amazon ECS when pulling a Docker image from Amazon ECR?

2 minute read
0

When I pull a Docker image from Amazon Elastic Container Registry (Amazon ECR) in Amazon Elastic Container Service (Amazon ECS), I get the following error message: "error pulling image configuration: error parsing HTTP 403 response body."

Short description

Amazon ECR uses Amazon Simple Storage Service (Amazon S3) to store your image layers. When your containers download images from Amazon ECR, they must access Amazon ECR to get the image manifest and then Amazon S3 to download the image layers. The following is the Amazon Resource Name (ARN) of the Amazon S3 bucket that contains the layers for each Docker image.

arn:aws:s3:::prod-region-starport-layer-bucket/*

If you use an S3 gateway endpoint in a route table with a policy that restricts access to starport-layer-bucket, then you receive the following error message:

error pulling image configuration: error parsing HTTP 403 response body: invalid character '<' looking for beginning of value: 
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>
SAMPLE-REQUEST-ID</RequestId><HostId>SAMPLE-HOST-ID</HostId></Error>"

By default, you get full access to all resources when you create a gateway endpoint in Amazon S3.

If you have a custom policy that allows access to specific resources, then you must add the starport-layer-bucket ARN to your Amazon S3 policy to resolve the error.

Resolution

1.    Open the Amazon Virtual Private Cloud (Amazon VPC) console.

2.    From the navigation menu, choose Endpoints.

3.    Select the S3 endpoint from the list.

4.    Choose the Policy tab, and then choose Edit policy.

5.    In the Resource section of the policy, add the following ARN:

arn:aws:s3:::prod-region-starport-layer-bucket/*

Note: Be sure that the ARN includes your AWS Region.

For reference, consider the following example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Access-to-specific-buckets",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::prod-us-east-1-starport-layer-bucket/*"
      ]
    }
  ]
}

Related information

Create the Amazon S3 gateway endpoint

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago