Getting this message:
Failed to pull image....Error response from daemon: pull access denied for {private_repo}, the repository does not exist or may require 'docker login'
After deploying new helm chart using AWS ECR BUT
~/.docker/config.json
shows that it's logged inAny thoughts appreciated.
The issue was with permissions in ECR for this particular repo, I put following permissions with "Effect": "Allow" and it worked:
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
You need to authenticate to ECR to pull image. If you haven't done so, follow instructions here. Basically you get an authorization token from AWS to pass it to docker login
. The account required by ECR is IAM-based and different from your local Docker account.
If you have already done that, the token may have expired. Log in again then.
The reason you don't have to do this for other pods is likely those images have been built or pulled to local so Docker doesn't have to download it (with the imagePullPolicy
of the pod set to IfNotPresent
as default).
You didn't specify your Kubernetes resource (i.e Pod, Deployment, etc). But it's most likely as far as I can tell because either:
ImagePullSecrets
in the specific Pod definition:kubectl create secret generic regcred \
--from-file=.dockerconfigjson=~/.docker/config.json> \
--type=kubernetes.io/dockerconfigjson
Then the pod:apiVersion: v1
kind: Pod
metadata:
name: myservice
spec:
containers:
- name: yourXYZservice
image: serviceXYZ:latest-develop
imagePullSecrets:
- name: regcred
latest-develop
tag.
Before pushing, tag your image and push it with the tag:docker tag <image-id> serviceXYZ:latest-develop
docker push serviceXYZ:latest-develop