AWS CodeBuild ECR CannotPullContainerError

Question

CodeBuild project fails at the Provisioning phase due to the following error

BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE: Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for <image-name>, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::<id>

Chaitanya Bapat · Accepted Answer · 2021-01-06 04:42:06Z

55

The issue was with the Image Pull credentials. CodeBuild was using default AWS CodeBuild credentials for pulling the image while the ECRAccessPolicy was attached to the Project Service Role.

I fixed it by updating the image pull credentials to use project service role.

answered Jan 6, 2021 at 4:42

Chaitanya Bapat

3,8518 gold badges39 silver badges63 bronze badges

14

Thanks for this @chaitanya-bapta. For anyone else having trouble finding where to edit these settings for an existing build project, you need to select Environment in the Edit menu of the build project, then select Override image, then select the Custom image radio button, and select your "Environment type". The ECR options will then appear below.
– Kris Dover
Commented Oct 5, 2021 at 1:44
1

omg.. so much time wasted debugging my codebuild service role permissions, only to eventually give up and google this, to find out it wasnt using the service role... thanks much.
– Tommy
Commented Dec 9, 2022 at 13:38
The UI is changed a little bit, but it works for me
– rck6982
Commented Dec 17, 2022 at 19:12

Add a comment |

Evin O'Shea · Accepted Answer · 2022-06-13 18:45:13Z

8

fwiw I stumbled across this issue when using terraform to create my codebuild pipeline.

The setting to change for this was image_pull_credentials_type which should be set to SERVICE_ROLE rather than CODEBUILD in the environment block of the resource "aws_codebuild_project".

Thank you to Chaitanya for the response which pointed me in this direction with the accepted answer.

edited Jun 13, 2022 at 18:45

answered Mar 7, 2022 at 19:05

Evin O'Shea

911 silver badge3 bronze badges

1

Please don't add "thank you" as an answer. Once you have sufficient reputation, you will be able to vote up questions and answers that you found helpful. - From Review
– Juan Fontes
Commented Mar 12, 2022 at 10:45
2

To clarify - I added my answer to expand upon Chaitanya's answer. Their answer was how to use the AWS console to fix this, however, this issue could occur in a system built with terraform, which is why I added my answer.
– Evin O'Shea
Commented Apr 21, 2022 at 18:10
To provide further detail, this change is only needed when using an image hosted in a private repository to which you need to authenticate (like ECR), and NOT when using an AWS managed image like the default AL2 Linux image.
– Graham Schuckman
Commented Mar 9, 2023 at 17:15

Add a comment |

Graham Schuckman · Accepted Answer · 2022-07-19 22:33:31Z

7

To add additional clarity (not enough reputation yet to comment on an existing answer), the CodeBuild project service role needs to have the following permissions if trying to pull from a private repository:

{
   "Action":[
      "ecr:BatchCheckLayerAvailability",
      "ecr:BatchGetImage",
      "ecr:GetDownloadUrlForLayer"
   ],
   "Effect":"Allow",
   "Resource":[
      "arn:aws:ecr:us-east-1:ACCOUNT_ID:repository/REPOSITORY_NAME*"
   ]
}

Also, the ECR repository policy should also look something like this (scope down root if desired):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

answered Jul 19, 2022 at 22:33

Graham Schuckman

1261 silver badge4 bronze badges

1

You need to add the ecr:GetAuthorizationToken for that policy above.
– wpp
Commented Mar 8, 2023 at 23:23
I tried this but not working, getting the same error as above. I also tried with all permission as given here: registry.terraform.io/providers/hashicorp/aws/latest/docs/… Any suggestion please?
– bhattraideb
Commented Dec 2, 2023 at 12:50
1

@bhattraideb An easy way to check is (if in a dev environment), to give the calling role ecr:*. You can also take a look at CloudTrail and search for access denied in the error columns to see what permissions might be missing. Lastly, if pulling from ECR, always check the permissions of the repo itself to ensure it is providing access to the role trying to pull the image.
– Graham Schuckman
Commented Dec 7, 2023 at 21:18

Add a comment |

Chris Fremgen · Accepted Answer · 2023-03-30 14:44:37Z

0

Using a custom image, I had to select "Other ECR Account" and paste the URI of the image in my ECR. Also had to enable "Privleged" flag.

Even though I am accessing it from the same account.

answered Mar 30, 2023 at 14:44

Chris Fremgen

5,1291 gold badge26 silver badges26 bronze badges

Add a comment |

Collectives™ on Stack Overflow

AWS CodeBuild ECR CannotPullContainerError

4 Answers 4

Not the answer you're looking for? Browse other questions tagged
aws-codebuild
amazon-ecr
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Not the answer you're looking for? Browse other questions tagged aws-codebuildamazon-ecr or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
aws-codebuild
amazon-ecr
or ask your own question.