CODEWITHSUNDEEP
amazon-web-servicesdockeramazon-elastic-beanstalkamazon-ecs
Nick Allen
Nick Allen

Reputation: 932

AWS Docker deployment

I have a custom docker image uploaded to ECS. I opened up the permissions to try and get through this issue (I will lock it down again once I can get this to work). I am attempting to deploy the docker image to elastic beanstalk. I have a docker enabled elastic beanstalk environment set up. According to the AWS docs, if I am pulling my image from within AWS, I don't need to pass in credentials. So I upload my Dockerrun.aws.json file and attempt to install it. It fails with the error:

Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry '434875166128' in 'us-east-1'. Hook /opt/elasticbeanstalk/hooks/appdeploy/pre/03build.sh failed. For more detail, check /var/log/eb-activity.log using console or EB CLI.

The /var/log/eb-activity.log information has nothing useful in it.

Here's my Dockerrun.aws.json file:

{
  "AWSEBDockerrunVersion": "1",
  "Image": {
  "Name": "{id000xxxx}.dkr.ecr.us-east-1.amazonaws.com/my-repo:1.0.0",
  "Update": "true"
  },
  "Ports": [
    {
      "ContainerPort": "4000"
    }
  ],
  "Logging": "/var/log/app-name"
}

I have also tried adding the authentication with the dockercfg.json file in S3. It didn't work for me either.

Note that I am using a business account instead of a personal account, so there may be some unknown variances as well.

Thanks!

Update: My user has full permissions at the moment too, so there shouldn't be anything permission-wise getting in the way.

Upvotes: 44

Views: 9570

Answers (3)

brianandere
brianandere

Reputation: 931

Assuming

  1. You are using Terraform to provision your infrastructure
  2. You have created a sample ElasticBeanstalk app at least once, so that you have the default role created.
  3. The default ElasticBeanstalk role is named: aws-elasticbeanstalk-ec2-role

Then you can comfortably use the following format to add ECR Read Only policy to the role:

data "aws_iam_role" "elastic_beanstalk_role" {
  name = "aws-elasticbeanstalk-ec2-role"
}

resource "aws_iam_policy" "ebs_ecr_policy" {
  name        = "aws-elasticbeanstalk-ec2-ecr-policy"
  description = "Enable elastic-beanstalk to be able to access ECR repository with images"
  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}

resource "aws_iam_policy_attachment" "ebs_ecr-policy-attach" {
  name       = "ebs-ecr-policy-attachment"
  roles      = [data.aws_iam_role.elastic_beanstalk_role.name]
  policy_arn = aws_iam_policy.ebs_ecr_policy.arn
}

This way you can manage updates to the role and policy from your infrastructure code.

Upvotes: 1

JayMore
JayMore

Reputation: 221

You can intialize necessary service roles for elastic beanstalk (aws-elasticbeanstalk-ec2-role , aws-elasticbeanstalk-service-role , AWSServiceRoleForECS ) by using the new console of Elastic Beanstalk. You have to do this only one time on each AWS account :

  • Go to the Elastic beanstalk console.
  • Accept the "new design" : in the top of the console, if see a message "we re testing a new design", optin to accept to use the new version of the console. Warning, it seems you cant rollback to the old console.
  • Start the Create New Application wizard, and use a default sample application in the technology.
  • Complete all the step of the wizard until the resume, and look at the Security pannel : you will see the two roles "aws-elasticbeanstalk-ec2-role" and "aws-elasticbeanstalk-service-role". And terminate the wizard to create the sample app.
  • After a while, the application should be running
  • In case of emergency, go to the IAM console and delete the roles aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role and run the wizard again.

I fixed the "Command failed on instance. Return code: 1 Output: Failed to authenticate with ECR for registry" and an other strange error ("The AWS Access Key Id you provided does not exist in our records. (ElasticBeanstalk::ManifestDownloadError)") by using the NEW console. I still had this error with the old one.

Upvotes: 0

Anter
Anter

Reputation: 1025

I was having the same problem.

Solution: In AWS -> IAM -> Roles - > pick the role your beanstalk is using.

In my case it was set to aws-elasticbeanstalk-ec2-role

Under Permissions for the role, attach policy: AmazonEC2ContainerRegistryReadOnly

In ECR there is no need to give any permissions to this role.

Upvotes: 88

Related Questions