Solution for ECR Connection Error After Changing VPC Settings with S3 Endpoint on AWS
I’d like to introduce a solution for the ECR connection error that occurs after changing VPC settings with an S3 endpoint configured on AWS.
CannotPullContainerError: ref pull has been retried 1 time(s):
failed to copy: httpReadSeeker:
failed open: unexpected status code https://xxx.dkr.ecr.ap-northeast-1.amazonaws.com/v2/xxx/blobs/sha256:xxx:
403 Forbidden
Upon investigation, it appears that Fargate is accessing an S3 bucket called prod-***REGION***-starport-layer-bucket to retrieve container images from ECR. So this is the actual ECR storage. Reference: https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-s3-gatewaySource: S3へのEndpointが設定されているVPCでECS(Fargate)を使う場合の注意点 - Qiita
Amazon ECR uses Amazon S3 to store image layers, so a gateway endpoint is required. Containers downloading images from Amazon ECR must access Amazon ECR to retrieve the image manifest and then access Amazon S3 to download the actual image layers.Source: Amazon ECR インターフェイス VPC エンドポイント (AWS PrivateLink) - Amazon ECR
That’s all from the Gemba, where I resolved the ECR connection error after changing VPC settings with an S3 endpoint on AWS.