Beanstalk getting container image from different (ECR) AWS account

Question

I am facing some issue regarding the beanstalk and ECR in different AWS account.

In "Dockerrun.aws.json" the image that I am trying to pull belongs to another AWS account (same organisation but different account id).

"Image": { "Name": "XXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/YYYYYYY", "Update": "true" },

In ECR permissions I already added the policy to allow to beanstalk pull the image (another AWS account):

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Allow webapp aws account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ZZZZZZZZZZZ:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:DeleteLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:StartLifecyclePolicyPreview"
            ]
        }
    ]
}

But, I am trying to build the Beanstalk environment I still getting the following error:

because: Failed to authenticate with ECR for registry 'XXXXXX' in 'eu-central-1' (ElasticBeanstalk::ExternalInvocationError)
caused by: Failed to authenticate with ECR for registry 'XXXXX' in 'eu-central-1' (Executor::NonZeroExitStatus

I wonder how could I solve this issue. If I could use the Authentication parameter in dockerrun.aws.json should be great. But not sure if it works with ECR since the token expires after 12hs.

  "Authentication": {
"Bucket": "elasticbeanstalk-eu-central-1-XXXXX",
"Key": "aws_credentials.json"

},

Answer 1

When Elastic Beanstalk pulls a docker image during deployment it will use the EC2 instance profile of your Elastic Beanstalk runtime environment. This means you will have to:

1. Grant the role of your instance profile permissions to pull from your ECR repository. Ending up with a policy document that looks something like:

{ "Version": "2008-10-17", "Statement": [ { "Sid": "ElasticBeanstalkApplicationInstance", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ZZZZZZZZZZZ:role/YourElasticBeanstalkApplicationIamRole-A1B2C3D4E5" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }

Note: As far as I know granting such permission cannot be done in the Admin console, meaning you'll have to do it using CloudFormation.

2. Give your Elastic Beanstalk runtime instance permissions to get the Authorization token and image from your repository. This is done by creating following policy and attaching it to your Instance profile role in IAM. (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html#docker-images-ecr) { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEbAuth", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": [ "*" ] }, { "Sid": "AllowPull", "Effect": "Allow", "Resource": [ "arn:aws:ecr:us-east-2:account-id:repository/repository-name" ], "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage" ] } ] }