Docker Community Forums

Share and learn in the Docker community.

Authenticating docker pulls in AWS ECS code builds

Expected behavior

AWS CodeBuild for ECS tasks are able to authenticate and pull images for docker Pro accounts.

Actual behavior

Code Build fails with: pull access denied for <account_id>.dkr.ecr.us-east-1.amazonaws.com, repository does not exist or may require 'docker login’

Additional Information

I am new to docker and ECS/Fargate, and I’m working through the AWS Mythical Mysfits tutorial. After several successful builds I hit the docker rate limit, always when pulling Ubuntu:latest.

I followed the guidance on this link: https://aws.amazon.com/blogs/containers/advice-for-customers-dealing-with-docker-hub-rate-limits-and-a-coming-soon-announcement/

And this link: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html

Based on these and a few other AWS docs, I did the following:

  • I paid for the docker Pro license.
  • I pulled and pushed ubuntu:latest image to an AWS ECR private repo.
  • I created a Secret with my docker credentials.
  • I attached the following roles to my ECS task execution role: AmazonECSTaskExecutionRolePolicy, AmazonEC2ContainerServiceforEC2Role, and an in-line policy for the docker secrets.

I still get the above error.

I think I’m missing something with my ECS container setup. Somehow I’m supposed to add Private repository authentication. But I can’t update the existing container, nor can I add a new container without ECS complaining.

Is there an easier way to do this? Using the ECR seems to be complicating things.

Thanks for any help!!