Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Batch Job (Fargate task) cannot pull image from ECR

I’m struggling to understand what VPC configurations are necessary to enable AWS Batch Jobs, running in a Fargate compute environment, to retrieve images from ECR.

vpc.ts

    // Create VPC
    this.vpc = new ec2.Vpc(this, `VPC-${props.modelContext}-${props.stageName}`, {
      maxAzs: 3, // Maximum number of Availability Zones to use
      natGateways: 1, // Number of NAT Gateways to use
      subnetConfiguration: [
        {
          subnetType: ec2.SubnetType.PUBLIC,
          name: `PublicSubnet-${props.modelContext}-${props.stageName}`,
        },
        {
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
          name: `PrivateSubnet-${props.modelContext}-${props.stageName}`,
        },
      ],
    });

    // Add VPC endpoint for ECR API
    this.ecrApiEndpoint = new ec2.InterfaceVpcEndpoint(
      this,
      `EcrApiEndpoint-${props.modelContext}-${props.stageName}`,
      {
        vpc: this.vpc,
        service: ec2.InterfaceVpcEndpointAwsService.ECR,
      },
    );
    // Add VPC endpoint for ECR Docker
    this.ecrDkrEndpoint = new ec2.InterfaceVpcEndpoint(
      this,
      `EcrDkrEndpoint-${props.modelContext}-${props.stageName}`,
      {
        vpc: this.vpc,
        service: ec2.InterfaceVpcEndpointAwsService.ECR_DOCKER,
      },
    );
    // Optionally, you can add VPC endpoint for CloudWatch Logs if you're logging in a private subnet
    this.cloudwatchLogsEndpoint = new ec2.InterfaceVpcEndpoint(
      this,
      `CloudwatchLogsEndpoint-${props.modelContext}-${props.stageName}`,
      {
        vpc: this.vpc,
        service: ec2.InterfaceVpcEndpointAwsService.CLOUDWATCH_LOGS,
      },
    );

    this.securityGroup = new ec2.SecurityGroup(this, `SecurityGroup-${props.modelContext}-${props.stageName}`, {
      vpc: this.vpc,
      allowAllOutbound: true,
    });
  }
}

However, the error that I get is

CannotPullContainerError: The task cannot pull <image>. There is a connection issue between the task and the registry. Check your task network configuration. : failed to copy: httpReadSeeker: failed open: failed to do request: Get <image>: i/o timeout

So I’m really curious, what more could be needed to enable Tasks to pull images from ECR?

Tags:

2

Answers


  1. 0

    We have a Java example for this that works. That is, the Java API examples will show you how to enable AWS Batch Jobs, running in a Fargate compute environment, to retrieve images from ECR.

    To get a docker image on ECR – follow this example:

    https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/ecr/src/main/java/com/example/ecr/scenario/ECRScenario.java

    To get the image from ECR to Fargate – see this example:

    https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/batch/src/main/java/com/example/batch/scenario

    Login or Signup to reply.
  2. 0

    Make sure the task execution role (not the job role) has permissions to pull from ECR.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search