How do I allow Amazon ECS tasks to pull images from an Amazon ECR image repository?

3 minute read
0

I want to allow Amazon Elastic Container Service (Amazon ECS) tasks to pull images from an Amazon Elastic Container Registry (Amazon ECR) image repository.

Short description

To access the Amazon ECR image repository with your launch type, choose one of the following options:

  • Amazon Elastic Compute Cloud (Amazon EC2) launch types: Provide permissions to the ecsTaskExecutionRole or the instance profile that's associated with the container instance. It's a best practice to provide Amazon ECR permissions to the ecsTaskExecutionRole. If you provide permissions to both the instance and the role, then ecsTaskExecutionRole takes priority.
  • AWS Fargate launch types: Provide your Amazon ECS task execution role permissions to access the Amazon ECR image repository.

Resolution

EC2 launch types

To access the Amazon ECR image repository for EC2 launch types, complete the following steps:

  1. Open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. Choose the AWS service role type.
  4. In the Use Case section, choose EC2. Then, choose Next.
  5. Select the default AmazonEC2ContainerServiceforEC2Role managed policy, and then choose Next.
    Note: The AmazonEC2ContainerServiceforEC2Role policy also allows you to register container instances to your ECS cluster and turn on log streams in Amazon CloudWatch.
  6. (Optional) Add tags to your policy, and then choose Next.
  7. For Role name, enter a unique name, such as ECSRoleforEC2, and then choose Create role.
  8. Use the latest Amazon ECS-optimized Amazon Linux Amazon Machine Image (AMI) to launch a new container instance.
  9. Attach the role to the new container instance.
  10. Create a task definition.
    Important: In the Container section of your task definition, for the Image URI, specify the ECR image aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag.
  11. Use your task definition to run a task or a service.
  12. (Optional) If you don't want to provide permissions to an instance profile, then give permissions to the ECS task execution role. Then, specify ecsTaskExecutionRole in your task definition and use this task definition to run a task or a service.

Fargate launch types

An Amazon ECS task execution role is automatically created in the Amazon ECS console first-run experience. If you can't find the role or the role is deleted, then complete the following steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. In the Select type of trusted entity section, choose Elastic Container Service.
  4. For Select your use case, choose Elastic Container Service Task, and then choose Next.
  5. In the Attach permissions policy section, search for AmazonECSTaskExecutionRolePolicy. Select the policy, and then choose Next.
    Note: This policy also provides permissions to use the awslogs log driver.
  6. For the Role Name, enter ecsTaskExecutionRole, and then choose Create role.
  7. Create a task definition.
    Important: In the Container section of your task definition, for the Image URI, specify the ECR image aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag. Also, specify the IAM role that you created.
  8. Use your task definition to run a task or a service.

Related information

Using Amazon ECR Images with Amazon ECS

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago