By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Elastic Beanstalk - CannotPullECRContainerError not authorized to perform: ecr:GetAuthorizationToken

0

Hello, I am trying to migrate an Dockerized legacy Java solution into AWS. I have sucessfully created and pushed the docker images for the 3 services into a Private repository in ECR.

I am now trying to run those by using AWS Beanstalk. I followed the documentation and created the following Dockerrun.aws.json:

{
    "AWSEBDockerrunVersion": 2,
    "containerDefinitions": [
        {
            "name": "local-redis",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/local-redis:7.2.1",
            "portMappings": [
                {
                    "hostPort": 6379,
                    "containerPort": 6379
                }
            ],
            "essential": true,
            "memory": 1024
        },
        {
            "name": "meet-margo-app",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/customer-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8080,
                    "containerPort": 9851
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        },
        {
            "name": "meet-margo-admin",
            "image": "ARN.dkr.ecr.REGION.amazonaws.com/admin-api:1.0",
            "portMappings": [
                {
                    "hostPort": 8081,
                    "containerPort": 9852
                }
            ],
            "links": [
                "local-redis"
            ],
            "essential": true,
            "memory": 3072
        }
    ]
}

The commands eb init and eb create run successfully and I am able to see the created Enviroment and Application in Beanstalk, and a valid EC2 instance. However the Health status moves to Severe and the logs indicate that no ECS tasks were created. This is the error I can see:

 {
 "containerArn": "arn:aws:ecs:REGION-2:ARN:container/awseb-MYAPI",
 "taskArn": "arn:aws:ecs:REGION-2:ARN:task/awseb-MYAPI",
 "name": "local-redis",
 "image": "ARN.dkr.ecr.REGION-2.amazonaws.com/local-redis:7.2.1",
 "lastStatus": "STOPPED",
 "reason": "CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::ARN:assumed-role/aws-elasticbeanstalk-ec2-role/ is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allo",
 "healthStatus": "UNKNOWN",
 "memory": "1024",
 "cpu": "0",
 "networkInterfaces": []
 }

I double checked, and the IAM user I am using has the following permissions:

AdministratorAccess
AdministratorAccess-AWSElasticBeanstalk
AmazonEC2ContainerRegistryFullAccess
AmazonEC2FullAccess
AWSElasticBeanstalkMulticontainerDocker
AWSElasticBeanstalkRoleECS
EC2InstanceProfileForImageBuilderECRContainerBuilds

And I noticed that EC2InstanceProfileForImageBuilderECRContainerBuilds has "ecr:GetAuthorizationToken", so I am unsure what else am I missing. Has anyone encountered this error and would be able to help me?

Would anyone know what else

Topics
ComputeContainers
Tags
AWS Elastic BeanstalkAmazon EC2Amazon Elastic Container Registry (ECR)Amazon Elastic Container ServiceContainers
Language
English
Laura
asked 7 months ago149 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content