Pull images from AWS ECR on AWS EC2 without using docker login but using EC2 Instance role and ECR repository permissions

pranshuverma · October 16, 2017, 3:00pm

Expected behavior

docker should pull image from AWS ECR on AWS EC2 instance with AWS EC2 role/policy and permission to all resources on aws ecr repository.

Actual behavior

Not able to pull image
getting is “unauthorized: authentication required”.

Additional Information

Steps to reproduce the behavior

Assign AmazonEC2ContainerRegistryReadOnly policy to a role and the role to EC2 instance.
Use below policy document to add permission to AWS ECR repository.

{
“Version”: “2008-10-17”,
“Statement”: [
{
“Sid”: “new policy”,
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: [
“ecr:GetAuthorizationToken”,
“ecr:BatchCheckLayerAvailability”,
“ecr:GetDownloadUrlForLayer”,
“ecr:GetRepositoryPolicy”,
“ecr:DescribeRepositories”,
“ecr:ListImages”,
“ecr:BatchGetImage”
]
}
]
}

Let me know if this is possible.

no3am · August 7, 2018, 7:14pm

I’m researching the same issue, did you get an answer for that? did you figure it out?

andrey1vanov · March 27, 2020, 11:50am

Hi,

In order to configure it I did the following:

Configured IAM role as described here: https://aws.amazon.com/premiumsupport/knowledge-center/ecs-tasks-pull-images-ecr-repository/
Attached IAM role to my EC2 instance.
Installed amazon-ecr-credential-helper.
Created ~/.docker/config.json (https://github.com/awslabs/amazon-ecr-credential-helper#Configuration)