👀 Views: 62 💬 Answers: 1 📅 Created: 2025-06-08

aws ecs ecr docker fargate json

After trying multiple solutions online, I still can't figure this out. I'm working on a personal project and I'm trying to deploy a service on AWS ECS Fargate, but I'm working with a `CannotPullContainerError` when it tries to pull a Docker image from a private ECR repository located in a different AWS account... The behavior message I get is: ``` CannotPullContainerError: behavior response from daemon: pull access denied for <account_id>.dkr.ecr.<region>.amazonaws.com/<repository_name>: latest, repository does not exist or may require 'docker login' ``` I've already verified that the ECR repository exists in the target account and that the image is correctly tagged as `latest`. In the originating account, I created an IAM role for the ECS task with the following policy to allow cross-account access: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:<region>:<account_id>:repository/<repository_name>" } ] } ``` I also ensured that the task execution role has the required permissions to pull the image. The role attached to my ECS task is: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" } ] } ``` Additionally, in the target account, I added a resource policy to the ECR repository to allow access from the originating account’s role: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<origin_account_id>:role/<role_name>" }, "Action": "ecr:*", "Resource": "arn:aws:ecr:<region>:<account_id>:repository/<repository_name>" } ] } ``` Despite all these configurations, the task still want to pull the image. Is there anything I am missing or any specific IAM permissions that could help resolve this scenario? I'm using AWS CLI version 2.7.0 and my Fargate task is configured to run in a VPC with the necessary subnets and security groups. My development environment is Ubuntu. Has anyone else encountered this? I'm working in a Ubuntu 20.04 environment. Thanks for taking the time to read this! This is my first time working with Json 3.11. What are your experiences with this?