Amplify-console: amplify console can't pull custom build image from ECR

Created on 19 Nov 2019  路  6Comments  路  Source: aws-amplify/amplify-console

Describe the bug
Amplify console fails to pull custom build image from ECR

To Reproduce
Steps to reproduce the behavior:

  1. Push a build image to aws ECR
  2. Add the image URI from ECR to amplify console's custom build entry
  3. Add ECR permissions to amplify consoles IAM service role
  4. Run a build
  5. See error: [BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE: Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for xxxxxxxxx.dkr.ecr.eu-west-1.amazonaws.com/xxxxxx, repository does not exist or may require 'docker login']

Expected behavior
I expected it to pull the image and use it to run the build

Additional context
I have looked for documentation regarding this but there's nothing here about any additional steps other than the ones I've done. Why is the _CUSTOM_IMAGE environment variable created? Am I supposed to use it for something? I can find nothing about this in the documentation

My amplify.yaml looks like 


version: 0.1
backend:
  phases:
    build:
      commands:
        - ./config-amplify.sh
        - cd app
        - amplifyPush --simple
frontend:
  phases:
    # IMPORTANT - Please verify your build commands
    build:
      commands: 
        - npm install 
        - ./edit_module.sh
        - npm run build

  artifacts:
    # IMPORTANT - Please verify your build output directory
    baseDirectory: app/dist
    files:
      - '**/*'
  cache:
    paths: []

I tried adding a docker login command in a preBuild phase but it made no difference.

bug
Source
picture tomgreenwood1
👍2

Most helpful comment

Given the recent changes to the docker hub pull policy could this be looked at?

picture JohnCashmore on 10 Nov 2020
👍10

All 6 comments

Currently Amplify Console only supports public ECR images. Is your image public?

Joycehao19 picture Joycehao19 on 21 Nov 2019

Hi Joyce,

My image isn't public, so that must be the issue. I guess I could make it public, boss permitting.

Thanks very much for the response. I'll close the issue now.

tomgreenwood1 picture tomgreenwood1 on 21 Nov 2019

Just checking: the default amazon linux 2 amplify build image has python 3 and pip on it? I could probably pip install the dependencies in preBuild, as a workaround, if so.

p.s. it's probably not clear from my amplify.yaml but config-amplify.sh calls some python stuff.

Thanks

tomgreenwood1 picture tomgreenwood1 on 21 Nov 2019

@Joycehao19 The documentation and what you're saying seems to be misleading. It makes us think we can have public ECR images but that doesn't seem to be the case.

Here's an excerpt from ECR FAQs page:

Q: Can Amazon ECR host public container images?
Amazon ECR currently supports private images. However, using IAM resource-based permissions, you can configure policies for each repository to allow access to IAM users, roles, or other AWS accounts.

What am I missing?

taeemo picture taeemo on 2 May 2020
👍2

I got this working by adding this read only permission in the ECR repository.
```{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ReadOnlyPermissions",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:ListTagsForResource"
]
}
]
}

stntmaniiac picture stntmaniiac on 11 Jun 2020

Given the recent changes to the docker hub pull policy could this be looked at?

JohnCashmore picture JohnCashmore on 10 Nov 2020
👍10
Was this page helpful?
0 / 5 - 0 ratings

Related issues

helloPiers picture helloPiers  路  3Comments
adamaltman picture adamaltman  路  3Comments
nballenger picture nballenger  路  5Comments
thedgbrt picture thedgbrt  路  5Comments
patleeman picture patleeman  路  5Comments