Reputation: 2466
Use docker image from private external registry in AWS ECS
I am trying to run an image in AWS ECS hosted in my company's private registry. According to AWS, this is entirely possible as long as I use the guide from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html and follow the section Enabling private registry authentication. I have created a secret in AWS Secrets Manager called testSecret in plaintext format with the json structure provided in the link above, like:
{
"username": "myuser",
"password": "mypass"
}
I reference it in my ECS job definition in the Secrets section with the name myRegistryCreds and then enter the ARN value of the secret above in the Value From section.
Whenever I try to run the job though, I get the error below:
CannotPullContainerError: Error response from daemon: Head "https://myprivateregistry.com/myrepo/helloworld/manifests/latest": no basic auth credentials
The policy attached to my execution role mimics what is in the AWS guide as well:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:<awsRegion>:<myAWSaccount>:secret:testSecret-CtEe8E",
"arn:aws:kms:*:<myAWSaccount>:key/*"
]
}
]
}
My working task definition:
{
"containerDefinitions": [
{
"name": "default",
"image": "myprivatregistry.com/repo/helloworld:latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:us-east-1:AWSACCOUNT:role:secret:REGISTRYKEY"
},
"cpu": 2,
"memory": 1000,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "hello-world"
}
}
}
],
"family": "hello-world",
"executionRoleArn": "arn:aws:iam::AWSACCOUNT:role/ecsTaskExecutionRole"
}
Does anyone know what I am missing / how to use an image from an external, private registry in AWS ECS?
Upvotes: 1
Views: 6790
Answers (1)
Reputation: 705
Secrets Manager encrypts secrets by default - no option to store "plain text".
Check if task execution role has kms:Decrypt action allowed.
Based on added task definition, you are missing the repositoryCredentials section in containerDefinitions array.
Should be:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
},
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}
Upvotes: 0
Related Questions
- Pull docker image from AWS ECR using remote API
- Pull image from private docker registry in AWS EKS Autoscaler worker nodes
- Can't push an image to ECS Private Registry - no basic auth credentials
- Docker is pulling image from remote registry but I want to use a local image
- Using image from private docker registry in pulumi on ECS
- Running a Docker image from ECR on ECS
- cannot deploy docker image form AWS private registry
- Private docker registry authentication in aws ecs optimized AMI is not successful
- Amazon Container Registry Only with ECS?
- Using Amazon ECS with google container registry