👀 Views: 34 💬 Answers: 1 📅 Created: 2025-06-11

aws eks ecr YAML

I'm attempting to set up I'm sure I'm missing something obvious here, but I'm having trouble with my AWS EKS cluster pulling private Docker images from ECR. I've double-checked that my IAM roles are correctly set up for the node instance profile and the Kubernetes service account, but I'm still getting the following behavior in the pod logs: ``` Failed to pull image "<account-id>.dkr.ecr.<region>.amazonaws.com/my-private-image:latest": rpc behavior: code = Unknown desc = behavior response from daemon: pull access denied for <account-id>.dkr.ecr.<region>.amazonaws.com/my-private-image, repository does not exist or may require 'docker login' ``` I have confirmed that the Docker image exists in ECR and that my EKS worker nodes have the `AmazonEKSWorkerNodePolicy` and `AmazonEC2ContainerRegistryReadOnly` roles attached. I also created a Kubernetes service account with an IAM role using `eksctl` that grants access to ECR images. I applied the service account in the deployment as follows: ```yaml apiVersion: v1 kind: ServiceAccount metadata: name: my-service-account namespace: default annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/MyECRAccessRole ``` In my deployment, I've referenced the service account: ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: my-app spec: replicas: 1 selector: matchLabels: app: my-app template: metadata: labels: app: my-app spec: serviceAccountName: my-service-account containers: - name: my-app image: <account-id>.dkr.ecr.<region>.amazonaws.com/my-private-image:latest ``` I verified that the node instance profile has the correct permissions, and I tried re-logging into ECR, but the scenario continues. Any suggestions on what might be missing or incorrect in my setup? I'm using EKS version 1.22 and the latest version of `eksctl`. This is part of a larger service I'm building. Am I missing something obvious? I'm working in a Debian environment.