- Newest
- Most votes
- Most comments
Check this link it might help your case:
https://docs.aws.amazon.com/AmazonECR/latest/userguide/Repositories.html#repository-concepts
Hello,
It sounds like your task execution role might not have the right permissions? Confirm that your ecsTaskExecutionRole has the following policy attached: AmazonECSTaskExecutionRolePolicy. The trust relationship should also look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
If that doesn't work, I would verify that if you are doing any cross-account image pulling that your ECR repository has permissions that specifically allow the arn of your ecsTaskExecutionRole like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskExecutionRole"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
Hope this helps! If not, please provide more detail on your architecture and IAM details.
Hi, @grahamschuckman thanks for your reply. My AmazonECSTaskExecutionRolePolicy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
and I am not doing any cross account image pulling. The image is stored is same AWS account in ECR private repo.
Have a look at this article.
https://aws.amazon.com/premiumsupport/knowledge-center/ecs-tasks-pull-images-ecr-repository/
Follow the steps related to the ECS launch type you use (EC2 or Fargate). It should fix your issue.
Relevant content
- asked 2 years ago
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
I tried this but still not working