Access ECS repository from external account - amazon-web-services

I´m using ECS repository for two accounts, one for non_prod another for prod. The repo is part of the non_prod account
The problem that I found is, even giving access from the non_prod account repository to the prod account, the prod account cannot pull the docker image. And complains that the docker image does not exist.
Still I can access to the repository, but not pull the image since the prod account think, that does not exist
Obviously the image exist since it´s used in the non_prod environment.
Also I compare the ~/.docker/config.json credentials and are the same to connect to the ECS repo that I have on the non_prod account.
I even try the temporally dangerous give all access in the repo and still nothing. Any idea what´s wrong here?
Regards.

We are using the same setup in our environments and it works pretty fine for us. Make sure you are doing the following things:
1) While accessing the containers you are passing the --registryid parameter in the login command, essentially,
aws ecr get-login --region us-east-1 --registry-ids <value here> | /bin/sh
2) You have given the access in the ECR repository for the prod account, essentially in the permission section of ECR repo, there is an entry in Prinicipal for arn:aws:iam:::root and correct permissions are there for push and pull operations.
Please let me know if you are doing both of these things and still not able to access the containers.

Related

Codepipeline with remote ECR source

Is it possible to use a remote ECR Repository as a source in CodePipeline?
I get the following error:
The repository with name '12345.dkr.ecr.eu-central-1.amazonaws.com/ecrrepo' does not exist in the registry with id '67890'
(Account IDs have been intentionally changed)
However the remote repository definitely exists.
Whole picture: I have 2 accounts, dev and test. Now that I have a pipeline built and running in dev account, I would like to do the same deployment in test account, but using the same ECR repository.
Just additional info: I am able to deploy to the ECS cluster of test account manually using the dev account's repository.
CodeBuild definitely supports cross account ECR image access, doesn't CodePipeline?
Any hints for solution or workaround? (I can think of Lambda)
At the moment in CodePipeline source stage when ECR is selected you only have option to provide ECR from the current AWS account.
Workaround would be to have a CodeBuild stage in the pipeline which can retrieve cross account ECR source:
https://aws.amazon.com/blogs/devops/how-to-use-cross-account-ecr-images-in-aws-codebuild-for-your-build-environment/
Your pipeline can still be started by CloudWatch Events when the ECR source changes in the other account:
CW Event Bus: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html

"no basic auth credentials" when trying to pull an image from a private ECR

I have the following line somewhere in the middle of my Dockerfile to retrieve an image from my private ECR.
FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401
This is the error that I get in AWS Codebuild when trying to build this:
Step 21/36 : FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401
Get https://**********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************/manifests/ff03401: no basic auth credentials
How can one provide these credentials in the most secure way, and in a way that can also be terraformed?
There are multiple ways to do it.
Using aws access and secret key. In which you set the aws credentials on the ec2 machine and run ecr login command. aws ecr get-login --no-include-email --registry-ids <some-id> --region eu-west-1 and then docker pull should work. But this is not a recommended secure way.
What I prefer is using aws iam roles.
Assuming you want to pull this image on your ec2 machine that was brought up using terraform. Make use of iam roles.
Create an iam role manually or using terraform iam resource.
For contents of iam policy refer this.
While bringing ec2 using terraform instance resource make use of iam_instance_profile attribute, the value of this attribute should be the name of iam role you created.
This should be enough to automatically pull docker images from ECR in a secure way.
Hope this helps.

Is it possible to pull images from ECR without using docker login

I have an ECR and EC2 instance running docker. What I want to do is to pull images without doing docker login first.
Is it possible at all? If yes what kind of policy should I attach to EC2 instance and/or ECR repo? I did a lot of experiments, but did not succeed.
And please - no suggestions on how to use aws get-login. My aim is to get rid of it by using IAM policy/roles.
To use an EC2 Role without having to use docker login, https://github.com/awslabs/amazon-ecr-credential-helper can be used.
Place the docker-credential-ecr-login binary on your PATH and set the contents of your ~/.docker/config.json file to be:
{
"credsStore": "ecr-login"
}
Now commands such as docker pull or docker push will work transparently.
My aim is to get rid of it by using IAM policy/roles.
I don't see how this is possible since some form of authentication is required.

How to access AWS ECR from Azure DC/OS Container Service

I am trying to use our ECR to launch instances on Azure DC/OS Container service. I used ssh to login to master on Azure and install awscli there I can execute aws ecr get-login --no-include-email on master and get the docker login ... command that I am supposed to execute. When I do it, nothing happens. I did echo $? afterwards and I get status code 1. That means something went wrong. AWS user access key and secret access key that I am using, have policy permissions ecr:GetAuthorizationToken assigned to it.
Anyone have experience with this or can point me in the right direction? Last resort is to replicate AWS ECR to Azure ACR.

Dockerrun.aws.json structure for ECR Repo

We are switching from Docker Hub to ECR and I'm curious how to structure the Dockerrun.aws.json file to use this image. I attempted to modify the name as <my_ECR_URL>/<repo_name>:<image_tag> but this is not successful. I also saw the details of private registries using an authentication file on S3 but this doesn't seem like the correct route when aws ecr get-login is the recommended way to authenticate with ECR.
Can anyone point me to how I can use an ECR image in a Beanstalk Dockerrun.aws.json file?
If I look at the ECS Task Definition,there's a required attribute called com.amazonaws.ecs.capability.ecr-auth, but I'm not setting that anywhere in my Dockerrun.aws.json file and I'm not sure what needs to be there. Perhaps it is an S3 bucket? Something is needed as every time I try to run the Elastic Beanstalk created tasks from ECS, I get:
Run tasks failed
Reasons : ATTRIBUTE
Any insights are greatly appreciated.
Update I see from some other threads that this used to occur with earlier versions of the ECS agent but I am currently running Agent version 1.6.0 and Docker version 1.7.1, which I believe are the recommended versions. Is this possibly an issue with the Docker version?
So it turns out, the ECS agent was only able to pull images with version 1.7, and that's where mine was falling. Updating the agent resolves my issue, and hopefully it helps someone else.
This is most likely an issue with IAM roles if you are using a role that was previously created for Elastic Beanstalk. Ensure that the role that Elastic Beanstalk is running with has the AmazonEC2ContainerRegistryReadOnly managed policy attached
Source: http://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_IAM_policies.html
Support for ECR was added in version 1.7.0 of the ECS Agent.
When using Elasticbeanstalk and ECR you don't need to authenticate. Just make sure the user has the policy AmazonEC2ContainerRegistryReadOnly
You can store your custom Docker images in AWS with Amazon EC2 Container Registry (Amazon ECR). When you store your Docker images in
Amazon ECR, Elastic Beanstalk automatically authenticates to the
Amazon ECR registry with your environment's instance profile, so you
don't need to generate an authentication file and upload it to Amazon
Simple Storage Service (Amazon S3).
You do, however, need to provide your instances with permission to
access the images in your Amazon ECR repository by adding permissions
to your environment's instance profile. You can attach the
AmazonEC2ContainerRegistryReadOnly managed policy to the instance
profile to provide read-only access to all Amazon ECR repositories in
your account, or grant access to single repository by using the
following template to create a custom policy:
Source: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html