Reputation: 1369
AWS ECR docker pull failed with IAM permission
I have one question related to AWS ECR and IAM, (I tried to search on internet but didn’t find any satisfactory explanation to me).
Scenario:
- I have a docker repository(say
my-test-repo) created under ECR, and I have some images already pushed in it. - I have an EC2 instance where docker is installed and I want to pull the image from this repo.
- To make it work, I have created an IAM policy(say
my-ecr-policy) which is having all the permissions defined on this ECR resource - I have created one IAM role(say
my-ecr-ec2-role) for which EC2 is trusted entity and having permission attached as IAM policy created above(my-ecr-policy) - I have attached this IAM role(
my-ecr-ec2-role) to EC2 instance - I've also created a permissions statement on the ECR registry that allows my IAM user full rights.
- Now I logged into EC2 instance shell and tries to do docker pull for the image present in this ECR.
But the docker pull command(on EC2 instance) failed with the error below. From the error It seems that docker login is still required even when IAM role is attached with this EC2 instance.
ubuntu@ip-90-90-52-12:~$ docker pull <aws-account-id>.dkr.ecr.us-west-2.amazonaws.com/my-test-repo:v999
Error response from daemon: Head "https://<aws-account-id>.dkr.ecr.us-west-2.amazonaws.com/v2/my-test-repo/manifests/v999": no basic auth credentials
My Question :
If any EC2 instance is having IAM role (the role is having EC2 as trusted entity and having permissions to access ECR), then still the docker login is required before doing pull, If yes then what is the purpose of IAM in case of ECR access as I still need to do docker login with the secrets provided by aws ecr get-login-password.
Upvotes: 1
Views: 2144
Answers (1)
Reputation: 1
If you have an EC2 instance with an IAM role that has the necessary permissions to access Amazon Elastic Container Registry (ECR), you should be able to access ECR without providing any explicit authentication credentials (e.g., access key, secret key, session token).
In this case, you don't need to use aws ecr get-login-password command to generate temporary credentials and run docker login command. Instead, you can use the docker CLI directly to pull images from ECR. The docker CLI should automatically retrieve the necessary credentials from the EC2 instance's IAM role.
However, if you are still being prompted for authentication when you try to pull images from ECR, there may be a misconfiguration in your IAM role or ECR permissions. You can try checking the following:
- Ensure that the IAM role is correctly associated with the EC2 instance by checking the instance metadata
- Verify the IAM
Upvotes: 0
Related Questions
- How to fix Docker: Got permission denied issue
- AWS CodeBuild Unable to pull image due to permission issue
- What is exactly "Assume" a role in AWS?
- Difference between IAM role and IAM user in AWS
- AWS ECR allow roles from secondary account
- Is it possible to pull images from ECR without using docker login
- Is it possible to pull image from ECR in a EC2 without using docker login?
- Error when configuring ECR authorization token with docker login
- How do I get a Docker Swarm manager to pull images from AWS ECR using IAM Role permissions?
- Pull images from AWS ECR on AWS EC2 without using docker login but using EC2 Instance role and ECR repository permissions