How do I allow Amazon ECS tasks to pull images from an Amazon ECR image repository?

Last updated: 2019-07-24

How do I allow Amazon Elastic Container Service (Amazon ECS) tasks to pull images from an Amazon Elastic Container Registry (Amazon ECR) image repository?

Short Description

To access the Amazon ECR image repository with your launch type, choose one of the following options:

  • For Amazon Elastic Compute Cloud (Amazon EC2) launch types, you must provide permissions to the instance profile associated with the container instance.
  • For AWS Fargate launch types, you must grant your Amazon ECS task execution role permission to access the Amazon ECR image repository.

Resolution

For EC2 launch types

  1. Open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. Choose the AWS service role type, and then choose Elastic Container Service.
  4. In the Select your use case section, select EC2 Role for Elastic Container Service, and then choose Next: Permissions.
  5. Choose the default AmazonEC2ContainerServiceforEC2Role managed policy, and then choose Next: Tags.
    Note: The AmazonEC2ContainerServiceforEC2Role policy also allows you to register container instances to your ECS cluster and enable log streams in Amazon CloudWatch.
  6. Add tags to your policy, if desired, and then choose Next: Review.
  7. For Role name, enter a unique name (such as ECSRoleforEC2), and then choose Create role.
  8. Launch a new container instance using the latest Amazon ECS-optimized Amazon Linux AMI.
  9. Attach the role that you created to the new container instance.
  10. Create a task definition.
    Important: In the containerDefinitions section of your task definition, specify the ECR image aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag as the image property.
  11. Run a task or a service using the task definition that you created in step 10.

For Fargate launch types

An Amazon ECS task execution role is automatically created in the Amazon ECS console first-run experience. If you can't find the role or the role is deleted, complete the following steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Roles, and then choose Create role.
  3. In the Select type of trusted entity section, choose Elastic Container Service.
  4. For Select your use case, choose Elastic Container Service Task, and then choose Next: Permissions.
  5. In the Attach permissions policy section, search for AmazonECSTaskExecutionRolePolicy, select the policy, and then choose Next: Review.
    Note: This policy also provides permissions to use the awslogs log driver.
  6. For the Role Name, enter ecsTaskExecutionRole, and then choose Create role.
  7. Create a task definition.
    Important: In the containerDefinitions section of your task definition, specify the ECR image aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag as the image property.
  8. Run a task or a service using the task definition that you created in step 7.

Your task or service can now pull images from the Amazon ECR image repository.


Did this article help you?

Anything we could improve?


Need more help?