0

How do I enable my environment under Elastic Beanstalk to talk to S3 so that it can get the authentication info and then pull my Docker image from a private repository in a multicontainer environment?

I found the name of the IAM role in my environment's instance config ("aws-elasticbeanstalk-ec2-role"), went to IAM, opened the "AWSElasticBeanstalkWebTier" policy in order to extend it for S3 access to the ARN for my bucket, but these policies are "AWS Managed" and read-only. I tried merely attaching an existing S3 policy (e.g. AmazonS3ReadOnlyAccess, defined by AWS) to my instance-profile role, but the deployment failed and the logs still complain about not being able to access the private repository:

2018-01-10T02:56:10Z + local 'CONTAINER_STOPPED_REASONS=nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access' 2018-01-10T02:56:10Z + '[' -n 'Essential container in task exited' ']' 2018-01-10T02:56:10Z + error 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)' 2018-01-10T02:56:10Z + echo 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)' 2018-01-10T02:56:10Z ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access) 2018-01-10T02:56:10Z + eventHelper.py --msg 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)' --severity ERROR 2018-01-10T02:56:10Z + set -e

No mention of trying to access the authentication file, but I don't know whether to expect it to log this.

Does the config look correct?

{ "AWSEBDockerrunVersion": 2, "volumes": [ ], "containerDefinitions": [ { "name": "nomad-service-identity", "image": "dsoprea/nomad:identity-1", "essential": true, "memory": 128, "portMappings": [ { "hostPort": 80, "containerPort": 80 } ], "entryPoint": ["/nomad/nomad_identity_service"], "links": [ ], "mountPoints": [ ], "authentication": { "bucket": "nomad-docker", "key": "dockerconfig.json" } } ] }
Improve this question

1 Answer 1

Reset to default
1

You need to attach the correct permission for reading the registry to that EB Role. If the repository would be ECR, the permission to add would be:

arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.