Hello,
I am trying to migrate an Dockerized legacy Java solution into AWS.
I have sucessfully created and pushed the docker images for the 3 services into a Private repository in ECR.
I am now trying to run those by using AWS Beanstalk. I followed the documentation and created the following Dockerrun.aws.json
:
{
"AWSEBDockerrunVersion": 2,
"containerDefinitions": [
{
"name": "local-redis",
"image": "ARN.dkr.ecr.REGION.amazonaws.com/local-redis:7.2.1",
"portMappings": [
{
"hostPort": 6379,
"containerPort": 6379
}
],
"essential": true,
"memory": 1024
},
{
"name": "meet-margo-app",
"image": "ARN.dkr.ecr.REGION.amazonaws.com/customer-api:1.0",
"portMappings": [
{
"hostPort": 8080,
"containerPort": 9851
}
],
"links": [
"local-redis"
],
"essential": true,
"memory": 3072
},
{
"name": "meet-margo-admin",
"image": "ARN.dkr.ecr.REGION.amazonaws.com/admin-api:1.0",
"portMappings": [
{
"hostPort": 8081,
"containerPort": 9852
}
],
"links": [
"local-redis"
],
"essential": true,
"memory": 3072
}
]
}
The commands eb init
and eb create
run successfully and I am able to see the created Enviroment and Application in Beanstalk, and a valid EC2 instance.
However the Health status moves to Severe and the logs indicate that no ECS tasks were created.
This is the error I can see:
{
"containerArn": "arn:aws:ecs:REGION-2:ARN:container/awseb-MYAPI",
"taskArn": "arn:aws:ecs:REGION-2:ARN:task/awseb-MYAPI",
"name": "local-redis",
"image": "ARN.dkr.ecr.REGION-2.amazonaws.com/local-redis:7.2.1",
"lastStatus": "STOPPED",
"reason": "CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::ARN:assumed-role/aws-elasticbeanstalk-ec2-role/ is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allo",
"healthStatus": "UNKNOWN",
"memory": "1024",
"cpu": "0",
"networkInterfaces": []
}
I double checked, and the IAM user I am using has the following permissions:
AdministratorAccess
AdministratorAccess-AWSElasticBeanstalk
AmazonEC2ContainerRegistryFullAccess
AmazonEC2FullAccess
AWSElasticBeanstalkMulticontainerDocker
AWSElasticBeanstalkRoleECS
EC2InstanceProfileForImageBuilderECRContainerBuilds
And I noticed that EC2InstanceProfileForImageBuilderECRContainerBuilds
has "ecr:GetAuthorizationToken",
so I am unsure what else am I missing.
Has anyone encountered this error and would be able to help me?
Would anyone know what else