👀 Views: 43 💬 Answers: 1 📅 Created: 2025-06-08

aws fargate ecr iam docker json

I recently switched to I'm working on a personal project and I'm working on a personal project and I'm working with an scenario with my AWS Fargate service where the tasks are failing to start due to a `CannotPullContainerError`... I have a Docker image stored in a private ECR repository, and I've set up a task definition to use this image. The behavior message I'm seeing in the CloudWatch logs is: `CannotPullContainerError: behavior: AccessDeniedException: User: arn:aws:sts::123456789012:assumed-role/myTaskExecutionRole/... is not authorized to perform: ecr:GetAuthorizationToken on resource: *`. I believe I have configured everything correctly, but I suspect there might be an scenario with the IAM permissions. Here's the relevant part of my task definition: ```json { "containerDefinitions": [ { "name": "my-container", "image": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest", "essential": true, "memory": 512, "cpu": 256 } ], "family": "my-fargate-task", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "executionRoleArn": "arn:aws:iam::123456789012:role/myTaskExecutionRole" } ``` I've attached the execution role `myTaskExecutionRole` with the following policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] } ``` I also made sure the VPC and subnets are configured correctly, and the security groups allow outbound traffic. Can someone guide to identify what might be missing or misconfigured? I've tried modifying the permissions to be more permissive, but that hasn't resolved the scenario. Is there a specific policy or setting I need to ensure that the Fargate task can pull the image from my private ECR? I'm working on a API that needs to handle this. Has anyone else encountered this? Is there a better approach?