3

I'm trying to deploy a docker container with multiple services to ECS. I've been following this article which looks great: https://aws.amazon.com/blogs/containers/deploy-applications-on-amazon-ecs-using-docker-compose/

I can get my container to run locally, and I can connect to the ECS context using the AWS CLI; however in the basic example from the article when I run

docker compose up

In order to deploy the image to ECS, I get the error:

pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

Can't seem to make heads or tails of this. My docker is logged in to ECS using

aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

The default IAM user on my aws CLI has AmazonECS_FullAccess as well as "ecs:ListAccountSettings" and "cloudformation:ListStackResources"

I read here: pull access denied repository does not exist or may require docker login mikemaccana 's answer that after Nov 2020 authentication may be required in your YAML file to allow AWS to pull from hub.docker.io (e.g. give aws your Docker hub username and password) but I can't get the 'auth' syntax to work in my yaml file. This is my YAML file that runs tomcat and mariadb locally:

version: "2"

services:

  database:
    build:
      context: ./tba-database
    image: tba-database
    # set default mysql root password, change as needed
    environment:
      MYSQL_ROOT_PASSWORD: password
    # Expose port 3306 to host. Not for the application but
    # handy to inspect the database from the host machine.
    ports:
      - "3306:3306" 
    restart: always

  webserver:
    build: 
      context: ./tba-webserver
    image: tba-webserver
    # mount point for application in tomcat
    volumes:
      - ./target/testPROJ:/usr/local/tomcat/webapps/ROOT
    links:
      - database:tba-database
    # open ports for tomcat and remote debugging
    ports:
      - "8080:8080" 
      - "8000:8000"
    restart: always
Reece
  • 641
  • 7
  • 18

1 Answers1

4

Author of the blog here (thanks for the kind comment!). I haven't played much with the build side of things but I suspect what's happening here is that when you run docker compose up we ignore the build phase and only leverage the image field. What happens next is that the containers being deployed on ECS/Fargate tries to pull the image tba-database (which is where the deploying seems to be complaining because it doesn't exist). You need extra steps to push your image to either GH or ECR before you could bring it life using docker compose up when in the ecs context.

You also probably need to change the compose version ("2" is very old).

mreferre
  • 5,464
  • 3
  • 22
  • 29
  • I was getting this same problem and updating the "image" tag to point to a remote image (which I had just pushed to ECR) worked. Is there a reason it can't get the previously-built *local* image instead of requiring a remote image? Oh, wait, re-reading your answer it's obvious––the remote workers being spun up can't read from your local machine so at some point the image has to get hosted remotely. – Adair Sep 13 '21 at 21:29
  • 1
    Yep. Exactly. The Fargate task being spun up can't pull from your laptop. It needs to be in a proper registry that the task can get to in order to pull. – mreferre Sep 14 '21 at 09:18