尝试从专用ECR提取图像时“没有基本身份验证凭据”

Question

I have the following line somewhere in the middle of my Dockerfile to retrieve an image from my private ECR.

FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401

This is the error that I get in AWS Codebuild when trying to build this:

Step 21/36 : FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401 Get https://**********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************/manifests/ff03401: no basic auth credentials

How can one provide these credentials in the most secure way, and in a way that can also be terraform ed?

Answer 1

There are multiple ways to do it.

Using aws access and secret key. In which you set the aws credentials on the ec2 machine and run ecr login command. aws ecr get-login --no-include-email --registry-ids <some-id> --region eu-west-1 and then docker pull should work. But this is not a recommended secure way.

What I prefer is using aws iam roles .

Assuming you want to pull this image on your ec2 machine that was brought up using terraform. Make use of iam roles.

• Create an iam role manually or using terraform iam resource .
• For contents of iam policy refer this .
• While bringing ec2 using terraform instance resource make use of iam_instance_profile attribute, the value of this attribute should be the name of iam role you created.

This should be enough to automatically pull docker images from ECR in a secure way.

Hope this helps.