1

I am trying to create a ECS task and be able to access and pull from ECR, but I am getting an error. How can I resolve this issue?

Raw error:

Cannotpullcontainererror: pull image manifest has been retried 1 time(s): failed to resolve ref {accId}.dkr.ecr.us-east-1.amazonaws.com/test-container:latest: {accId}.dkr.ecr.us-east-1.amazonaws.com/test-container:latest: not found

AWSTemplateFormatVersion: '2010-09-09' Description: 'ECS service, cluster, and ECR'

Resources:
  # ECR repository
  EcrRepository:
    Type: 'AWS::ECR::Repository'
    Properties:
      RepositoryName: 'test-container'
  # ECS cluster
  EcsCluster:
    Type: 'AWS::ECS::Cluster'
    Properties:
      ClusterName: 'test'
  # IAM role for ECS task
  EcsTaskRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: 'Allow'
            Principal:
              Service:
                - 'ecs-tasks.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      Path: '/'
      Policies:
        - PolicyName: 'test_task_policy'
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: 'Allow'
                Action:
                  - 'ecr:*'
                Resource: '*'
              - Effect: 'Allow'
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: 'arn:aws:logs:*:*:*'
              - Effect: 'Allow'
                Action:
                  - 'lambda:InvokeFunction'
                  - 'lambda:GetFunction'
                Resource: '*'
              - Effect: 'Allow'
                Action:
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:DescribeNetworkInterfaces'
                  - 'ec2:DeleteNetworkInterface'
                Resource: '*'

  # ECS task definition
  EcsTaskDefinition:
    Type: 'AWS::ECS::TaskDefinition'
    Properties:
      Family: 'test'
      Memory: 512
      Cpu: 256
      ContainerDefinitions:
        - Name: 'test_container'
          Image: !Join [ "", [ !Ref "AWS::AccountId", ".dkr.ecr.", !Ref "AWS::Region", ".amazonaws.com/", !Ref EcrRepository, "" ] ]
          PortMappings:
            - ContainerPort: 80
          Environment:
            - Name: 'ENV_VAR_1'
              Value: 'value1'
          Essential: true
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Join [ '', [ '/ecs/', !Ref AWS::StackName ] ]
              awslogs-region: !Ref AWS::Region
              awslogs-stream-prefix: ecs
              awslogs-create-group: true
      TaskRoleArn: !GetAtt EcsTaskRole.Arn
      ExecutionRoleArn: !GetAtt TestExecutionRole.Arn
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE

  # ECS service
  EcsService:
    Type: 'AWS::ECS::Service'
    Properties:
      ServiceName: 'test_svc'
      Cluster: !Ref EcsCluster
      DesiredCount: 1
      TaskDefinition: !Ref EcsTaskDefinition
      LaunchType: 'FARGATE'
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          SecurityGroups:
            - !Ref TestSG
          Subnets:
            - !Ref TestSubnet

  TestExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: TestExecutionRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'sts:AssumeRole'
            Principal:
              Service:
                - 'ecs-tasks.amazonaws.com'
      Policies:
        - PolicyName: EcsTaskExecutionPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:*'
                  - 'ecs:*'
                  - 'logs:*'
                  - 'ecr:*'
                Resource: '*'

  # Network
  TestVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
  TestSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref TestVPC
      CidrBlock: 10.0.0.0/24
      MapPublicIpOnLaunch: true

  TestSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security group for my ECS task
      VpcId: !Ref TestVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

  RouteTable:
    Type: "AWS::EC2::RouteTable"
    Properties:
      VpcId: !Ref TestVPC

  InternetGateway:
    Type: "AWS::EC2::InternetGateway"

  VPCGatewayAttachment:
    Type: "AWS::EC2::VPCGatewayAttachment"
    Properties:
      VpcId: !Ref TestVPC
      InternetGatewayId: !Ref InternetGateway

  InternetRoute:
    Type: "AWS::EC2::Route"
    Properties:
      DestinationCidrBlock: "0.0.0.0/0"
      GatewayId: !Ref InternetGateway
      RouteTableId: !Ref RouteTable

  SubnetARouteTableAssociation:
    Type: "AWS::EC2::SubnetRouteTableAssociation"
    Properties:
      RouteTableId: !Ref RouteTable
      SubnetId: !Ref TestSubnet

2 Answers 2

0

Last time I had an error like this it was because ECS didn't have a route to ECR. This can be an internet route or an ECR VPC endpoint. If the container is in a private subnet you can either use a NAT Gateway (expensive) or VPC endpoint (less expensive).

The way things seem to work, from memory, is ECS starts your task along with the URL for the image, and the container has to fetch the image to bootstrap itself. The container is on your VPC / subnet, that's why it needs a route to ECR.

0

Your problem relies here:

  TestSG:
    Type: AWS::EC2::SecurityGroup
    Properties:
    GroupDescription: Security group for my ECS task
    VpcId: !Ref TestVPC
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0

The security group of your ECS task should allow outbound traffic to ECR. The simplest way is allowing all traffic to 0.0.0./0 (traffic goes through internet). You can also use VPC endpoint to ECR but still need to add the outbound rule in your security group (Doc: https://docs.aws.amazon.com/AmazonECR/latest/userguide/vpc-endpoints.html)

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .