Pulling Private Docker Images using Docker ECS Context

zahidnazirkhan · March 21, 2022, 10:26am

Hello Everybody,

I am using Docker Desktop 4.5.1 (74721) on Windows 10 machine.

I have created & configured a Docker context with AWS ECS using secret keys.

But when I hit docker compose up in that context, I get this error:

WebService TaskFailedToStart: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to get registry auth from asm: service call has been retried 1 time(s): unable to unmarshal secret value of authorization data from asm:

Below is my docker-compose.yml file:

version: '3'

services:
  web:
    image: DockerUserID/repo:latest
    x-aws-pull_credentials: arn:aws:secretsmanager:AWS-Region:AWS-Account-ID:secret:pullcred-8BALBD
    ports:
      - "8085:8085"
    logging:
      driver: awslogs
      options:
        awslogs-group: tutorial
        awslogs-region: us-east-1
        awslogs-stream-prefix: web
    restart: always

I am trying to pull from a private Docker repository.

What am I missing here, kindly guide.

Thank You

rimelek · March 21, 2022, 6:04pm

Have you read Amazon’s description about this error message?

Since I don’t use Amazon registry, I don’t understand everything, but it may be familiar to you.

zahidnazirkhan · March 22, 2022, 6:05am

Hello Sir,

Thank you for your reply.

Yes I have already browsed through the document and added the required permissions. I even modified the docker-compose.yml file to include secrets, but still showing the same error.

Here’s my updated docker-compose.yml file:

version: '3'

services:
  web:
    image: DockerUserID/repo:latest
    secrets:
      - imageSecrets
    x-aws-pull_credentials: arn:aws:secretsmanager:AWS-Region:AWS-Account-ID:secret:pullcred-8BALBD
    ports:
      - "8085:8085"
    logging:
      driver: awslogs
      options:
        awslogs-group: tutorial
        awslogs-region: us-east-1
        awslogs-stream-prefix: web
    restart: always

secrets:
  imageSecrets:
    name: "arn:aws:secretsmanager:AWS-Region:AWS-Account-ID:secret:pullcred-8BALBD"
    external: true

I am not getting where am I doing wrong. Any help would be appreciable.

Thank you

meyay · March 22, 2022, 7:00am

It looks like the docs do no list the required iam permissions to access secrets.

The link Akos shared points to a link that complets the missing required im permissions: Private registry authentication for tasks - Amazon Elastic Container Service