K
Q

AWS ECR PULL no basic auth credentials

3/14/2019

I'm deploying Azure K8s cluster with Terraform, and the image is hosted in Amazon ECR. The deployment fails at the image pull from the ECR with the following error:

Failed to pull image "tooot.eu-west-1.amazonaws.com/app-t:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://tooot.eu-west-1.amazonaws.com/v2/app-t/manifests/latest: no basic auth credentials

the following is my kuberentes resource in the terraform template

  metadata {
    name = "terraform-app-deployment-example"
    labels {
      test = "app-deployment"
    }
  }

  spec {
    replicas = 6

    selector {
      match_labels {
        test = "app-deployment"
      }
    }

    template {
      metadata {
        labels {
          test = "app-deployment"
        }
      }

      spec {
        container {
          image = "toot.eu-west-1.amazonaws.com/app-t:latest"
          name  = "app"
        }
      }
    }
  }
}`
-- Renm
azure
azure-aks
kubectl
kubernetes
terraform-provider-azure

Similar Questions

Trust CA certificate on istio level
communication between polipo and tor kubernetes deployment
How to give the input for the kubectl command?
k8s/python: How do I read a secret using the Kubernetes Python client?

2 Answers

3/14/2019

Basically you are lacking credentials to pull images from AWS.

You need to create a regcred, which contains the login credentials:

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

After that you need to add the regcred on your terraform configuration. I have not worked with templates, but in a deploy specification you would add a field called imagePullSecrets.

https://www.terraform.io/docs/providers/kubernetes/r/deployment.html

The imagePullSecrets description:

image_pull_secrets - (Optional) ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored

-- Leandro Donizetti Soares
Source: StackOverflow
3/14/2019

in kubernetes cluster you have to add secret which will used to login into ECR at the time of pulling image

ECR managed the token for pushing and pulling images. Token is valid for 12 hour

so kindly check for token in ECR

i have written shell script for that you can also check it out

it is getting token from aws ECR deleting old secret in kubernetes cluster and creating again new secret in kubernetes cluster. which secret will be used for to pull the image from the aws ecr.

as i am checking there is no secret in container spec option

you can check more at here :

https://github.com/harsh4870/ECR-Token-automation/blob/master/aws-token.sh

-- Harsh Manvar
Source: StackOverflow