AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Amazon CodeCatalyst not pulling ECR image

0

I'm trying to use a private image from ECR, i have configured the IAM Role with AdministratorAccess and TrustedPolicy as next:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToCodeCatalyst",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "codecatalyst-runner.amazonaws.com",
                    "codecatalyst.amazonaws.com",
                    "codebuild.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": [
                        "arn:aws:codecatalyst:::space/xxxx",
                        "arn:aws:codecatalyst:::space/xxxx/project/*"
                    ]
                }
            }
        }
    ]
}

In the Build configuration i used:

Configuration:
      Container:
        Registry: ECR
        Image: xxxx.dkr.ecr.us-east-1.amazonaws.com/my_image

But i'm getting this error in the logs: CLIENT_ERROR: Unable to pull customer's container image

주제
컨테이너보안, 신원 및 규정 준수개발자 도구DevOps
태그
아마존 엘라스틱 컨테이너 서비스컨테이너IAM 정책아마존 CodeCatalyst
언어
English
mmellaa
질문됨 2달 전376회 조회
2개 답변
0

You added CodeBuild as a principle. Does it perform the pull? Did you check, if CodeBuild's access rights are set up correctly? You can also try to identify the request's CloudTrail event to see if the ARN that performs the blocked request is matching your condition.

AWS
Markus_K
답변함 2달 전
  • mmellaa
    한 달 전

    Thanks Markus I'm checking Cloudtrail but i don't see any logs related to ECR.

-1

In order to use private ECR image, you need to update role used in configuration of workflow with below policy that add permissions to fetch ECR image.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "*"
        }
    ]
}

You can restrict resource to specific ECR repository in your case. You can get additional details at https://docs.aws.amazon.com/codecatalyst/latest/userguide/build-images.html#build-images-specify

profile pictureAWS
Ashish Bhatt
답변함 2달 전
profile picture
전문가
Giovanni Lauria
검토됨 2달 전
  • mmellaa
    2달 전

    AdministratorAccess includes the permissions you are sharing:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "", "Resource": "" }]}

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠