AWS ECR PULL no basic auth credentials

Renm picture Renm · Mar 14, 2019 · Viewed 9.9k times · Source

I'm deploying Azure K8s cluster with Terraform, and the image is hosted in Amazon ECR. The deployment fails at the image pull from the ECR with the following error:

Failed to pull image "tooot.eu-west-1.amazonaws.com/app-t:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://tooot.eu-west-1.amazonaws.com/v2/app-t/manifests/latest: no basic auth credentials

the following is my kuberentes resource in the terraform template

  metadata {
    name = "terraform-app-deployment-example"
    labels {
      test = "app-deployment"
    }
  }

  spec {
    replicas = 6

    selector {
      match_labels {
        test = "app-deployment"
      }
    }

    template {
      metadata {
        labels {
          test = "app-deployment"
        }
      }

      spec {
        container {
          image = "toot.eu-west-1.amazonaws.com/app-t:latest"
          name  = "app"
        }
      }
    }
  }
}`

Answer

Leandro Donizetti Soares picture Leandro Donizetti Soares · Mar 14, 2019

Basically you are lacking credentials to pull images from AWS.

You need to create a regcred, which contains the login credentials:

https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

After that you need to add the regcred on your terraform configuration. I have not worked with templates, but in a deploy specification you would add a field called imagePullSecrets.

https://www.terraform.io/docs/providers/kubernetes/r/deployment.html

The imagePullSecrets description:

image_pull_secrets - (Optional) ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored