AWS ECR Authentication issue

Hello everybody,

I’m facing a big issue on pulling my own docker images from our own aws ecr registry. I’m using rancher-v2.0.2

The rancher and k8s documentations about the IAM profile are not clear at all.

So, I have these questions:

  • how do I create the IAM profile instance? I create a IAM Role named kubernetes with that:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:*",
                "cloudtrail:LookupEvents"
            ],
            "Resource": "*"
        }
    ]
}
  • Creating this IAM Role is the right ressource for my issue?

I think I searched everywhere stackoverflow/github/google and I didn’t find anything clear. I’m completely lost.

Is there someone who found a solution for this?

Thank you by advance

Rasmey

I have the same problem. I find it shocking after such a long time there is no answer.
Could someone be so nice to please post a step by step working howto on how to use ECR on Rancher 2.0 ?
I have tried basically everything I could find but nothing seems to work. I am using Rancher 2.0 with kubelet 1.20.

I’m guessing you guys have seen this? I’m still researching how to get the token into Rancher, but it seems they have a solution for it. I’d be curious to see what you both ended up doing.

Sorry to say that, but that blog post was written in March 2016. :slight_smile: Hence, it is not about Rancher 2.x.

I summarized our solution and the current status in ECR Credentials.

Sadly, there is a confusing amount of forum threads and Github issues regarding this topic…

Hi,

The main issue is you split the documentation. For example, some documentation for the version 1.6 are still relevant in the 2.x. I don’t remember exactly but there is no explicit reference for that.

I read the documentation for the version 1.6.

I suggest you to “copy/paste/adapt” the doc when you create a new version of rancher.

Le jeu. 15 nov. 2018 à 09:28, Sebastian Hucke rancher@discoursemail.com a écrit :

There is a slight misunderstanding:
I am not a Rancher employee / project member. :wink: I am just a user who wrote down his solution in a forum to give some help back to the community.

That fact aside, there are tons of possible tools out there you can possibly integrate Rancher / Kubernetes with. And there are even more solutions you can deploy on such a platform. The question is: Is a project’s documentation the right place for all that stuff? IMHO, no. That is the reason why there are so many people out there, describing their solutions in blog posts, forums, stackoverflow questions etc. The question on how to use an AWS ECR registry within Kubernetes is such a specific case - this is totally independent of Rancher.

By the way, if you feel something is missing in the docs: it is up to you to write some texts and start a pull request @ https://github.com/rancher/docs. :wink: Don’t forget: You get something for free here. And you are also free to participate, if you like.

This is just not true, there is virtually nothing in 1.x docs relevant to 2.x, other then things that are just about k8s in general.

1.x had an ECR updater we maintained because we had our own orchestration system and had to. We do not have one for 2.x, because Kubernetes has built-in support for ECR when running in AWS. For the minority using ECR in clusters outside of AWS, there are third-party scripts other people maintain.

Hello Rsareth,

I have finally made it work using a role with the following permissions for ECR:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:CreateRepository",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecr:*",
            "Resource": "arn:aws:ecr:*:*:repository/*"
        }
    ]
}

Hope this will help you :slight_smile: