Can't create or deploy a service on App Runner since it can't pull a private ECR image

1

Hey!

I'm having an issue with App Runner. When I'm trying to create a service with an image from a private ECR repository it fails because apparently it can't pull the image. Pulling images from public ECR works fine.

When I try to create a service I choose to create the AppRunnerECRAccessRole for me. Then when it tries to deploy for the first time, it tries to pull the image. Then it does nothing for around 45 minutes. Then it fails with a message that it apparently can't pull the image. The error message is confusing since the role was created automatically and looking at the policy it looks fine to me.

Both ECR repository and App Runner service are in the same region (eu-west-1).

Deployment logs:
2021-11-21T14:02:26.613+01:00 Starting to pull your application image.
2021-11-21T14:42:09.236+01:00 Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.

Event log:
11-21-2021 02:02:46 PM Successfully created pipeline for automatic deployments.
11-21-2021 02:02:26 PM Service status is set to OPERATION_IN_PROGRESS.
11-21-2021 02:02:26 PM Service creation started.

  • Is your private ECR repository in the same AWS account as App Runner? Are there any repository-level policies that might deny access to App Runner?

  • Hi,

    as referred here [1] AccessRoleArn -The Amazon Resource Name (ARN) of the IAM role that grants the App Runner service access to a source repository. as explained here [2] Pulling an image from ECR Amazon ECR requires that users have permission to make calls to the ecr:GetAuthorizationToken API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.

    please check the cloud trail logs for the API call GetAuthorizationToken and try to get more information on image pull issue from ECR. also search - BatchGetImage in cloud trail log, I hope you will find information for the next steps from there like fix the permissions issue etc. also find list of ECR Api references from [3] which will be helpful for ECR issues troubleshooting.

    [1] https://docs.aws.amazon.com/apprunner/latest/api/API_CreateService.html [2] https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html [3] https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Operations.html

Simon
asked a year ago784 views
1 Answer
1
Accepted Answer

I got it solved.

Thanks to the hint from Kiran_K I took a look at the events in CloudTrail and found that during creation/deployment of my service App Runner tries to assume the mentioned AppRunnerECRAccessRole role. However, that fails due to the following exception STS is not activated in this region.

I enabled STS for my region (eu-west-1) according to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate.

That helped and now the creation/deployment works fine!

Simon
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions