Dockerrun.aws.json structure for ECR Repo

We are switching from Docker Hub to ECR and I’m curious how to structure the Dockerrun.aws.json file to use this image. I attempted to modify the name as <my_ECR_URL>/<repo_name>:<image_tag> but this is not successful. I also saw the details of private registries using an authentication file on S3 but this doesn’t seem like the correct route when aws ecr get-login is the recommended way to authenticate with ECR.

Can anyone point me to how I can use an ECR image in a Beanstalk Dockerrun.aws.json file?

  • ECS: Environment variables set in task but not present in container
  • AWS: docker container cannot connect to external website on SSL
  • Docker on RHEL 7 in AWS can’t pull images
  • Get Elasticache address from within a docker Elastic Beanstalk container
  • Can't push an image to ECS Private Registry - no basic auth credentials
  • Docker-Compose Up Works but Eb Local Run does not
  • If I look at the ECS Task Definition,there’s a required attribute called com.amazonaws.ecs.capability.ecr-auth, but I’m not setting that anywhere in my Dockerrun.aws.json file and I’m not sure what needs to be there. Perhaps it is an S3 bucket? Something is needed as every time I try to run the Elastic Beanstalk created tasks from ECS, I get:

    Run tasks failed
    Reasons : ATTRIBUTE
    

    Any insights are greatly appreciated.

    Update I see from some other threads that this used to occur with earlier versions of the ECS agent but I am currently running Agent version 1.6.0 and Docker version 1.7.1, which I believe are the recommended versions. Is this possibly an issue with the Docker version?

  • Docker CE on Mac OSX hanging on startup
  • Bash multiple port mapping depending on script argument
  • Node version not upgrading
  • Docker within PCF - unable to connect to rabbitmq via AMQP (spring cloud bus)
  • Docker : Unable to run Docker commands
  • docker-compose for artifactory and mysql images
  • 4 Solutions collect form web for “Dockerrun.aws.json structure for ECR Repo”

    So it turns out, the ECS agent was only able to pull images with version 1.7, and that’s where mine was falling. Updating the agent resolves my issue, and hopefully it helps someone else.

    This is most likely an issue with IAM roles if you are using a role that was previously created for Elastic Beanstalk. Ensure that the role that Elastic Beanstalk is running with has the AmazonEC2ContainerRegistryReadOnly managed policy attached

    Source: http://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_IAM_policies.html

    Support for ECR was added in version 1.7.0 of the ECS Agent.

    When using Elasticbeanstalk and ECR you don’t need to authenticate. Just make sure the user has the policy AmazonEC2ContainerRegistryReadOnly

    You can store your custom Docker images in AWS with Amazon EC2 Container Registry (Amazon ECR). When you store your Docker images in
    Amazon ECR, Elastic Beanstalk automatically authenticates to the
    Amazon ECR registry with your environment’s instance profile, so you
    don’t need to generate an authentication file and upload it to Amazon
    Simple Storage Service (Amazon S3).

    You do, however, need to provide your instances with permission to
    access the images in your Amazon ECR repository by adding permissions
    to your environment’s instance profile. You can attach the
    AmazonEC2ContainerRegistryReadOnly managed policy to the instance
    profile to provide read-only access to all Amazon ECR repositories in
    your account, or grant access to single repository by using the
    following template to create a custom policy:

    Source: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.