Dockerrun.aws.json structure for ECR Repo
We are switching from Docker Hub to ECR and I’m curious how to structure the Dockerrun.aws.json file to use this image. I attempted to modify the name as
<my_ECR_URL>/<repo_name>:<image_tag> but this is not successful. I also saw the details of private registries using an authentication file on S3 but this doesn’t seem like the correct route when
aws ecr get-login is the recommended way to authenticate with ECR.
Can anyone point me to how I can use an ECR image in a Beanstalk Dockerrun.aws.json file?
If I look at the ECS Task Definition,there’s a required attribute called
com.amazonaws.ecs.capability.ecr-auth, but I’m not setting that anywhere in my
Dockerrun.aws.json file and I’m not sure what needs to be there. Perhaps it is an S3 bucket? Something is needed as every time I try to run the Elastic Beanstalk created tasks from ECS, I get:
Run tasks failed Reasons : ATTRIBUTE
Any insights are greatly appreciated.
Update I see from some other threads that this used to occur with earlier versions of the ECS agent but I am currently running
Agent version 1.6.0 and
Docker version 1.7.1, which I believe are the recommended versions. Is this possibly an issue with the Docker version?
4 Solutions collect form web for “Dockerrun.aws.json structure for ECR Repo”
So it turns out, the ECS agent was only able to pull images with version 1.7, and that’s where mine was falling. Updating the agent resolves my issue, and hopefully it helps someone else.
This is most likely an issue with IAM roles if you are using a role that was previously created for Elastic Beanstalk. Ensure that the role that Elastic Beanstalk is running with has the AmazonEC2ContainerRegistryReadOnly managed policy attached
Support for ECR was added in version 1.7.0 of the ECS Agent.
When using Elasticbeanstalk and ECR you don’t need to authenticate. Just make sure the user has the policy
You can store your custom Docker images in AWS with Amazon EC2 Container Registry (Amazon ECR). When you store your Docker images in
Amazon ECR, Elastic Beanstalk automatically authenticates to the
Amazon ECR registry with your environment’s instance profile, so you
don’t need to generate an authentication file and upload it to Amazon
Simple Storage Service (Amazon S3).
You do, however, need to provide your instances with permission to
access the images in your Amazon ECR repository by adding permissions
to your environment’s instance profile. You can attach the
AmazonEC2ContainerRegistryReadOnly managed policy to the instance
profile to provide read-only access to all Amazon ECR repositories in
your account, or grant access to single repository by using the
following template to create a custom policy: