23

CodeBuild project fails at the Provisioning phase due to the following error

BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE: Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for <image-name>, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::<id>

enter image description here

Chaitanya Bapat
  • 3,381
  • 6
  • 34
  • 59

4 Answers4

50

The issue was with the Image Pull credentials. CodeBuild was using default AWS CodeBuild credentials for pulling the image while the ECRAccessPolicy was attached to the Project Service Role.

I fixed it by updating the image pull credentials to use project service role.

enter image description here

Chaitanya Bapat
  • 3,381
  • 6
  • 34
  • 59
  • 12
    Thanks for this @chaitanya-bapta. For anyone else having trouble finding where to edit these settings for an existing build project, you need to select *Environment* in the *Edit* menu of the build project, then select *Override image*, then select the *Custom image* radio button, and select your "Environment type". The ECR options will then appear below. – Kris Dover Oct 05 '21 at 01:44
  • 1
    omg.. so much time wasted debugging my codebuild service role permissions, only to eventually give up and google this, to find out it wasnt using the service role... thanks much. – Tommy Dec 09 '22 at 13:38
  • The UI is changed a little bit, but it works for me – rck6982 Dec 17 '22 at 19:12
7

To add additional clarity (not enough reputation yet to comment on an existing answer), the CodeBuild project service role needs to have the following permissions if trying to pull from a private repository:

{
   "Action":[
      "ecr:BatchCheckLayerAvailability",
      "ecr:BatchGetImage",
      "ecr:GetDownloadUrlForLayer"
   ],
   "Effect":"Allow",
   "Resource":[
      "arn:aws:ecr:us-east-1:ACCOUNT_ID:repository/REPOSITORY_NAME*"
   ]
}

Also, the ECR repository policy should also look something like this (scope down root if desired):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}
Graham Schuckman
  • 86
  • 1
  • 3
6

fwiw I stumbled across this issue when using terraform to create my codebuild pipeline.

The setting to change for this was image_pull_credentials_type which should be set to SERVICE_ROLE rather than CODEBUILD in the environment block of the resource "aws_codebuild_project".

Thank you to Chaitanya for the response which pointed me in this direction with the accepted answer.

Evin O'Shea
  • 61
  • 1
  • 3
  • 1
    Please don't add "thank you" as an answer. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation), you will be able to [vote up questions and answers](https://stackoverflow.com/help/privileges/vote-up) that you found helpful. - [From Review](/review/late-answers/31234486) – Juan Fontes Mar 12 '22 at 10:45
  • 2
    To clarify - I added my answer to expand upon Chaitanya's answer. Their answer was how to use the AWS console to fix this, however, this issue could occur in a system built with terraform, which is why I added my answer. – Evin O'Shea Apr 21 '22 at 18:10
  • To provide further detail, this change is only needed when using an image hosted in a private repository to which you need to authenticate (like ECR), and NOT when using an AWS managed image like the default AL2 Linux image. – Graham Schuckman Mar 09 '23 at 17:15
0

Using a custom image, I had to select "Other ECR Account" and paste the URI of the image in my ECR. Also had to enable "Privleged" flag.

Even though I am accessing it from the same account.

Chris Fremgen
  • 4,649
  • 1
  • 26
  • 26