Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can't pull a docker image from a private ECR repository inside an EC2 instance

1

I'm currently running an EC2 instance inside a vpc v2 environment. Inside the EC2 instance I'm trying to execute a docker pull command from a private repository on ECR. Doing a docker pull command gives an error: permission denied while trying to connect to the Docker daemon socket. When running with the sudo command it gives another error: Error response from daemon: Head ....: no basic auth credentials.

Before I do a pull I first login succesfully with the docker client: aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<region>.amazonaws.com

The aws-cli command has access to the ECR repository. When using the aws ecr describe-repositories --repository-names command, it returns details about the repository.

To the EC2 instance profile role I've added the policy AmazonEC2ContainerRegistryReadOnly to be able to read the repository on ECR. That didn't work. I removed this policy and added the AmazonEC2ContainerRegistryFullAccess policy, also without success.

When running docker login or sudo docker login the result doesn't show registry information. It appears the docker client isn't authenticated to read the ecr repository.

Do I need to update the policy or something else to be able to pull a docker image?

Topics
ComputeContainers
Tags
Amazon EC2Amazon Elastic Container Registry (ECR)
Language
English
asked a year ago4.1K views
3 Answers
3
Accepted Answer

The solution was to update the command to authenticate the docker client with sudo. Before I used: aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<region>.amazonaws.com

After I used sudo: aws ecr get-login-password --region <region> | sudo docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<region>.amazonaws.com

After this, I was able to pull the docker image from ecr.

answered a year ago
EXPERT
reviewed a year ago
  • estanqua
    a year ago

    that was a lifesaver lol thank you

0

Hello there,

Take a glance at the logs cat ~/.ecr/log/ecr-login.log to get more insight into what's going on.

You can refer to this documentations:

no basic auth credentials from the docker push or docker pull commands - https://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html#error-403

AWS
EXPERT
answered a year ago
  • rePost-User-9005310
    a year ago

    Thank you for your reply. There is no .ecr folder present inside the EC2 instance.

  • Olawale Olaleye EXPERT
    a year ago

    If your EC2 instance is configured to use the Amazon ECR credential helper, only then you will be able to see logs from the Amazon ECR Docker Credential Helper stored in ~/.ecr/log

    Running docker login should return the message "Login Succeeded".

    The EC2 instance profile role with added policy AmazonEC2ContainerRegistryReadOnly gives the EC2 instance the ability to list repositories and images within the repositories. It also includes the ability to pull images from Amazon ECR with the Docker CLI.

    Some recommendations:

    1. Just to be sure you are not previously logged in and using stale credentials, you can log your Docker CLI out. docker logout <aws-account-id>.dkr.ecr.<region>.amazonaws.com

    2. Be sure to ensure that Amazon ECR can authenticate and authorize your Docker push and pull requests from that EC2 instance. See options here: https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html

0

Hi,

Look on this page for all details: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html

This is a sample policy allowing to pull images that is provided. You want to check your current existing ECR-related policies to see if you grant same auths ecr:BatchGetImage and ecr:GetDownloadUrlForLayer

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::account-id:user/pull-user-1",
                    "arn:aws:iam::account-id:user/pull-user-2"
                ]
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ]
        },
        {
            "Sid": "AllowAll",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account-id:user/admin-user"
            },
            "Action": [
                "ecr:*"
            ]
        }
    ]
}

Best,

Didier

EXPERT
answered a year ago
  • rePost-User-9005310
    a year ago

    Thank you for the reply. I've added a custom policy, in respond to your reply:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Resource": "*",
			"Sid": "AllowPull",
			"Effect": "Allow",
			"Action": [
				"ecr:BatchGetImage",
				"ecr:GetDownloadUrlForLayer"
			]
		},
		{
			"Sid": "AllowAll",
			"Resource": "*",
			"Effect": "Allow",
			"Action": [
				"ecr:*"
			]
		}
	]
}

    AWS editor was complaining about Principal being unsupported, which is why I didn't used it. Is this policy correct?

    Doing a docker pull still returns the same error message.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content