👀 Views: 79 💬 Answers: 1 📅 Created: 2025-06-08

aws eks docker ecr yaml

This might be a silly question, but I'm working with an scenario with my AWS EKS cluster where my pods are exploring in a `ImagePullBackOff` state. I have a custom Docker image hosted in an ECR repository within the same AWS account, but it seems like my EKS cluster isn't able to pull the image correctly. I've ensured that the IAM role associated with the EKS worker nodes has the necessary permissions to access the ECR repository. The policy I attached is as follows: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] } ``` I've also tried logging into ECR from the EKS nodes manually using the AWS CLI and it works fine. Here’s how I’m defining my deployment: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: my-app spec: replicas: 2 selector: matchLabels: app: my-app template: metadata: labels: app: my-app spec: containers: - name: my-container image: <account-id>.dkr.ecr.<region>.amazonaws.com/my-app:latest ports: - containerPort: 80 ``` Despite everything looking good, I'm seeing this behavior in the pod events: ``` Failed to pull image "<account-id>.dkr.ecr.<region>.amazonaws.com/my-app:latest": rpc behavior: code = Unknown desc = behavior response from daemon: Get "https://<account-id>.dkr.ecr.<region>.amazonaws.com/v2/my-app/manifests/latest": no basic auth credentials ``` I’ve verified that the EKS cluster is running in the same region as the ECR repository, and I also checked the VPC configuration. The security group associated with the EKS nodes allows outbound access to ECR. Can anyone point me in the right direction? What else could be causing this scenario? This is part of a larger application I'm building. What am I doing wrong? Is there a better approach?