AWS CodeBuild ECR CannotPullContainerError

Asked 6/1, 2021 at 4:42 Answered 30/3, 2023 at 14:44

CodeBuild project fails at the Provisioning phase due to the following error

BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE: Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for <image-name>, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::<id>

Boynton answered 6/1, 2021 at 4:42 Comment(0)

The issue was with the Image Pull credentials. CodeBuild was using default AWS CodeBuild credentials for pulling the image while the ECRAccessPolicy was attached to the Project Service Role.

I fixed it by updating the image pull credentials to use project service role.

Boynton answered 6/1, 2021 at 4:42 Comment(3)

Thanks for this @chaitanya-bapta. For anyone else having trouble finding where to edit these settings for an existing build project, you need to select Environment in the Edit menu of the build project, then select Override image, then select the Custom image radio button, and select your "Environment type". The ECR options will then appear below. – Yoong 5/10, 2021 at 1:44

omg.. so much time wasted debugging my codebuild service role permissions, only to eventually give up and google this, to find out it wasnt using the service role... thanks much. – Meissner 9/12, 2022 at 13:38

The UI is changed a little bit, but it works for me – Garvey 17/12, 2022 at 19:12

fwiw I stumbled across this issue when using terraform to create my codebuild pipeline.

The setting to change for this was image_pull_credentials_type which should be set to SERVICE_ROLE rather than CODEBUILD in the environment block of the resource "aws_codebuild_project".

Thank you to Chaitanya for the response which pointed me in this direction with the accepted answer.

Kumkumagai answered 7/3, 2022 at 19:5 Comment(3)

Please don't add "thank you" as an answer. Once you have sufficient reputation, you will be able to vote up questions and answers that you found helpful. - From Review – Jequirity 12/3, 2022 at 10:45

To clarify - I added my answer to expand upon Chaitanya's answer. Their answer was how to use the AWS console to fix this, however, this issue could occur in a system built with terraform, which is why I added my answer. – Conch 21/4, 2022 at 18:10

To provide further detail, this change is only needed when using an image hosted in a private repository to which you need to authenticate (like ECR), and NOT when using an AWS managed image like the default AL2 Linux image. – Liguria 9/3, 2023 at 17:15

To add additional clarity (not enough reputation yet to comment on an existing answer), the CodeBuild project service role needs to have the following permissions if trying to pull from a private repository:

{
   "Action":[
      "ecr:BatchCheckLayerAvailability",
      "ecr:BatchGetImage",
      "ecr:GetDownloadUrlForLayer"
   ],
   "Effect":"Allow",
   "Resource":[
      "arn:aws:ecr:us-east-1:ACCOUNT_ID:repository/REPOSITORY_NAME*"
   ]
}

Also, the ECR repository policy should also look something like this (scope down root if desired):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Liguria answered 19/7, 2022 at 22:33 Comment(3)

You need to add the ecr:GetAuthorizationToken for that policy above. – Nickolai 8/3, 2023 at 23:23

I tried this but not working, getting the same error as above. I also tried with all permission as given here: registry.terraform.io/providers/hashicorp/aws/latest/docs/… Any suggestion please? – Beautifully 2/12, 2023 at 12:50

@Beautifully An easy way to check is (if in a dev environment), to give the calling role ecr:*. You can also take a look at CloudTrail and search for access denied in the error columns to see what permissions might be missing. Lastly, if pulling from ECR, always check the permissions of the repo itself to ensure it is providing access to the role trying to pull the image. – Liguria 7/12, 2023 at 21:18

Using a custom image, I had to select "Other ECR Account" and paste the URI of the image in my ECR. Also had to enable "Privleged" flag.

Even though I am accessing it from the same account.

Supersensible answered 30/3, 2023 at 14:44 Comment(0)

Recommended topics

Hot tags