AWS Fargate private subnet, pulling from ECR

Question

I've Fargate task defined in the private subnet (no internet access). I defined endpoints (PrivateLinks) for the: s3 (gateway), ecr.api, ecr.dkr, ecr.logs (interfaces). I added egress on 443/TCP to the s3 gateway and ecr. I set enable_dns_hostnames = true enable_dns_support = true in the vpc. I'm getting weird error which I do not know how to troubleshoot: CannotPullContainerError: ref pull has been retried 5 time(s): failed to copy: httpReaderSeeker: failed open: failed to do request: Get https://prod-eu-west-2-starport-layer-bucket.s3.eu-west-2.amazonaws.com/

Any ideas? I spent today 7 hours going through docs, no success... I'm using Fargate 1.40.

Answer 1

When you see that we are trying to get the pre-signed URL from S3: https://prod-eu-west-2-starport-layer-bucket.... It means that we had passed the permission problem and is encountering networking issue when trying to get the ECR image artifact from AWS managed S3.

It is probably caused by one or some of the following issues:

• VPC-Endpoints (PrivateLink) setting
• Security Groups inbound rules
• VPC subnet Network-ACL restriction

Follow this document and check line by line might help to debug the problem: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html

Answer 2

the "CannotPullContainerError" seems to indicate that ECS is not able to get the container from ECR or dockerhub or wherever you're trying to pull the container from.

If your ECS TaskDefinition is pointing to a container in ECR, then ECS will try to pull it from there. And it can only pull it from ECR if the TaskDefinition has a TaskExecutionRole which have privileges of pulling your container from ECR.

Can you confirm that your ECS TaskDefinition has an ECS TaskExecutionRole which has proper ecr privs?