[英]ECS service cannot pull from ECR
ECS Fargate(ver 1.4.0) service creation is getting failed with below error ECS Fargate(ver 1.4.0)服务创建失败并出现以下错误
Resource initilization error unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth
Request error caused by post https://api.ecr.us-XX.amazon.aws.com timeout
Things i checked我检查过的东西
I had this very same issue, (thought) I had the very same checks covered and this error was driving me crazy.我遇到了同样的问题,(认为)我进行了同样的检查,这个错误让我发疯。
I actually solved it by realizing my security group for ECS tasks was limited to my VPC's CIDR block, even though the tasks will in a private subnet it needs full open egress and ingress access so it can access ECR, since it goes through the outworld internet.我实际上通过意识到我的 ECS 任务安全组仅限于我的 VPC 的 CIDR 块来解决它,即使任务将在私有子网中它需要完全开放的出口和入口访问,以便它可以访问 ECR,因为它通过外部互联网.
So instead of something like:所以不是这样的:
ingress {
protocol = "tcp"
from_port = var.container_port
to_port = var.container_port
cidr_blocks = [var.vpc_cidr_block] #or cap later from ALB and ILB
}
You should have you SG for tasks opened like:您应该让 SG 处理打开的任务,例如:
ingress {
protocol = "tcp"
from_port = var.container_port
to_port = var.container_port
cidr_blocks = ["0.0.0.0/0"]
}
And that's for both egress and ingress.这适用于出口和入口。 Matter of fact after I added this I removed the VPC Endpoints and it still worked, they're not even needed.
事实上,在我添加这个之后,我删除了 VPC 端点,它仍然有效,甚至不需要它们。 The role for grabing images is still necessary, though I just used AWS managed
AmazonECSTaskExecutionRolePolicy
.抓取图像的角色仍然是必需的,尽管我只是使用了 AWS 管理
AmazonECSTaskExecutionRolePolicy
。
Found the problem!发现问题了! https://aws.amazon.com/blogs/compute/setting-up-aws-privatelink-for-amazon-ecs-and-amazon-ecr/ This blog explains how to configure, and I forgot to configure another one thing: Private DNS. I had to enable it on ECR (DKR and API), and CloudWatch so it could reach put the service via FQDN.
https://aws.amazon.com/blogs/compute/setting-up-aws-privatelink-for-amazon-ecs-and-amazon-ecr/这个博客解释了如何配置,我忘了配置另外一件事:私有 DNS。我必须在 ECR(DKR 和 API)和 CloudWatch 上启用它,以便它可以通过 FQDN 访问 put 服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.