ampiy
commented
2 years ago Reverted to using ecr public repos and everything seems fine now.
Closed ampiy closed 2 years ago
ampiy
commented
2 years ago Reverted to using ecr public repos and everything seems fine now.
efekarakus
commented
2 years ago Hi @ampiy 👋
I'm glad you got the issue resolved ! This issue seems related to https://github.com/aws/copilot-cli/issues/2755 that would allow the creation of addition policies to the build project's role
However, I think for this particular usecase if you add the AWS tag copilot-application: <your application name> then the build phase should be able to pull the image (see Condition here):
https://github.com/aws/copilot-cli/blob/598988c7bc18bd22db87ebafc8909de0fbd335bf/internal/pkg/template/templates/cicd/pipeline_cfn.yml#L90-L106
Hi,
I moved from using docker images to ECR images. However I'm getting pull access denied during the build.
pull access denied for <ACCID>.dkr.ecr.<REGION>.amazonaws.com/redis, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::<ACCID>:assumed-role/pipeline-<PipelineName>-BuildProjectRole-<ROLEID>/AWSCodeBuild-<ID> is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:<REGION>:<ACCID>:repository/redis because no identity-based policy allows the ecr:BatchGetImage actionHow to modify the buildspec to allow the pull access to the repos. Should I change anything in the ECR repos permissions. Also, would making the ECR repo public make the problem go away?