By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I resolve the "error pulling image configuration: error parsing HTTP 403 response body" error in Amazon ECS?

2 minute read
0

When I pull a Docker image from Amazon Elastic Container Registry (Amazon ECR) in Amazon Elastic Container Service (Amazon ECS), I get the following error: "error pulling image configuration: error parsing HTTP 403 response body."

Short description

Amazon ECR uses Amazon Simple Storage Service (Amazon S3) to store your image layers. When your containers download images from Amazon ECR, they must access Amazon ECR to get the image manifest. After the container accesses Amazon ECR, the container then accesses Amazon S3 to download the image layers.

The following is the Amazon Resource Name (ARN) of the Amazon S3 bucket that contains the layers for each Docker image:

arn:aws:s3:::prod-region-starport-layer-bucket/*

If you use an S3 gateway endpoint in a route table with a policy that restricts access to starport-layer-bucket, then you receive this error message:

"error pulling image configuration: error parsing HTTP 403 response body: invalid character '<' looking for beginning of value: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>SAMPLE-REQUEST-ID</RequestId><HostId>SAMPLE-HOST-ID</HostId></Error>"

By default, you have full access to all resources when you create a gateway endpoint in Amazon S3.

If you have a custom policy that allows access to specific resources, then you must add the starport-layer-bucket ARN to your Amazon S3 policy.

Resolution

To resolve this error, complete the following steps:

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation menu, choose Endpoints.
  3. Select the S3 endpoint from the list.
  4. Choose the Policy tab, and then choose Edit policy.
  5. In the Resource section of the policy, add the following ARN:
    arn:aws:s3:::prod-region-starport-layer-bucket/*

Note: The ARN must include your AWS Region.

Example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Access-to-specific-buckets",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::prod-us-east-1-starport-layer-bucket/*"
      ]
    }
  ]
}

Related information

Create the Amazon S3 gateway endpoint

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago