2

My EC2 instance can't authenticate using an IAM role. The instance shows the correct role in the AWS console: IAM role: Docker-WorkerRole-DPET4SO6HV87. Clicking that opens up the Role console, where I can see the correct policy listed: 'ecr-pull-image'. A click on that shows the following permissions:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The Trusted Entities tab shows:

The identity provider(s) autoscaling.amazonaws.com
The identity provider(s) ec2.amazonaws.com

It works in the simulator.

But when I when hop on that instance and try to pull an image I get no basic auth credentials:

$ docker pull 4----------7.dkr.ecr.us-west-2.amazonaws.com/gc01_data:1.0.0
Error response from daemon: Get https://4----------7.dkr.ecr.us-west-2.amazonaws.com/v2/gc01_data/manifests/1.0.0: no basic auth credentials

Or, after attempting docker stack deploy, my docker.log shows the same:

Aug 29 21:05:15 moby root: time="2017-08-29T21:05:15.434428743Z" level=debug msg="Trying to pull 4----------7.dkr.ecr.us-west-2.amazonaws.com/gc01_data from https://4----------7.dkr.ecr.us-west-2.amazonaws.com v2"  
Aug 29 21:05:15 moby root: time="2017-08-29T21:05:15.449145816Z" level=info msg="Attempting next endpoint for pull after error: Get https://4----------7.dkr.ecr.us-west-2.amazonaws.com/v2/gc01_data/manifests/1.0.0: no basic auth credentials"

Can't see what's missing. Thanks.

HieroB
  • 3,917
  • 4
  • 17
  • 22
  • Possible duplicate of [Can't push image to Amazon ECR - fails with "no basic auth credentials"](https://stackoverflow.com/questions/34689445/cant-push-image-to-amazon-ecr-fails-with-no-basic-auth-credentials) – helloV Aug 29 '17 at 22:16
  • 1
    I saw that one, but the authentication in that case is via "aws ecr get-login", requiring AWS key and secret. That's what I'm trying to avoid. I need authentication based on IAM role for EC2 instance, following AWS recommendation--AWS credentials should not be stored in a file on the instances. – HieroB Aug 30 '17 at 03:22

1 Answers1

0

Ok, I should have said this was a Docker-4-AWS Swarm instance, so this is a known issue: https://github.com/docker/for-aws/issues/5.

As a stopgap I'm using @blaketastic's way of using the swarm's guide-aws: 

docker exec -it guide-aws sh -c 'aws ecr get-login --region us-east-1 --no-include-email'

This is a way to access ecr without using/storing AWS credentials on the instance.

HieroB
  • 3,917
  • 4
  • 17
  • 22
  • getting `Error: No such container: guide-aws` and when try to pull the image by `docker pull guide-aws` i'm getting `Error response from daemon: repository guide-aws not found: does not exist or no pull access`, any idea? – Shlomi Dec 06 '17 at 15:34