DEV Community

Cover image for AWS ECR with Endpoints - Access Errors
Dilusha Rasanjana
Dilusha Rasanjana

Posted on

2

AWS ECR with Endpoints - Access Errors

#aws #ecs #ecr #eks

The AWS Elastic Container Registry (ECR) is a fully managed Docker container registry that makes it easy for developers to share and deploy container based applications. So consider it a safe and scalable repository for Docker container images. In this followup i will point out a few points you should be aware of before using ECR.

When we store a image in amazon ECR repository, amazon will store that images at backend using S3 bucket. This S3 bucket is unique for each region. This does not affect our AWS architecture until we make use of AWS endpoints to reach ECR or S3 buckets.

1. When our architecture designed to restrict internet access,

Application without Internet

We need to create AWS interface endpoint for access ECR and interface/gateway endpoint to access S3 bucket that images are actually saved. If we use a specific endpoint policy to restrict access, S3 bucket ARN must be allowed in it. The following is the Amazon Resource Name (ARN) of the Amazon S3 bucket containing the layers for each Docker image.

arn:aws:s3:::prod-<region>-starport-layer-bucket/*
Enter fullscreen mode Exit fullscreen mode

NOTE : You must update region name in the bucket arn.

2. When our architecture has one or more private S3 buckets and VPC has internet access,

Application with private S3 buckets

Now because we have an internet connection you can make your own decision, if an interface endpoint is required to access ECR in this particular case. It is optional.

However, we have to add interface/gateway endpoint, to access private S3 buckets. If we are using endpoint policy to restrict access, ECR image storing s3 bucket ARN should be allowed in endpoint policy. Otherwise, ECR will return errors when trying to work with ECR repositories. Refer to the following example.

Failed to pull image "123456789.dkr.ecr.ap-southeast-1.amazonaws.com/ecr_repo:1.1": failed to pull and unpack image "123456789.dkr.ecr.ap-southeast-1.amazonaws.com/ecr_repo:1.1": failed to copy: httpReadSeeker: failed open: unexpected status code https://123456789.dkr.ecr.ap-southeast-1.amazonaws.com/ecr_repo/blobs/sha256:7fa43ee6781f1f46033bd360df783c66897d544d2aafceec4f55b1ebd2497eee : 403 Forbidden
Enter fullscreen mode Exit fullscreen mode

You can use the following policy to restrict the access to s3 bucket.

{
        "Version": "2008-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": "*",
                "Resource": [ "arn:aws:s3:::prod-<regeion name>-starport-layer-bucket/*",
                              "<your-s3-bucket-arn>" ]

            }
        ]
    }
Enter fullscreen mode Exit fullscreen mode

NOTE : You must update region name in the bucket arn.

These two use cases will help you to build applications using both AWS EKS and ECS.

Follow me for more articles. Stay Connect with me on linkedin https://www.linkedin.com/in/dilusha-rasanjana/

AWS
 Promoted

AWS GenAI LIVE image

How is generative AI increasing efficiency?

Join AWS GenAI LIVE! to find out how gen AI is reshaping productivity, streamlining processes, and driving innovation.

Learn more

Top comments (0)

AWS
 Promoted

AWS Security LIVE! Stream

Streaming live from AWS re:Inforce

Tune into Security LIVE! at re:Inforce for expert takes on modern security challenges.

Learn More