Solution for ECR Connection Error After Changing VPC Settings with S3 Endpoint on AWS

Tadashi Shigeoka ·  Thu, March 30, 2023

I’d like to introduce a solution for the ECR connection error that occurs after changing VPC settings with an S3 endpoint configured on AWS.

AWS

Background: CannotPullContainerError

CannotPullContainerError: ref pull has been retried 1 time(s): 
failed to copy: httpReadSeeker: 
failed open: unexpected status code https://xxx.dkr.ecr.ap-northeast-1.amazonaws.com/v2/xxx/blobs/sha256:xxx: 
403 Forbidden

Cause: ECR Image Layers Are Stored in S3

Upon investigation, it appears that Fargate is accessing an S3 bucket called prod-***REGION***-starport-layer-bucket to retrieve container images from ECR. So this is the actual ECR storage. Reference: https://docs.aws.amazon.com/ja_jp/AmazonECR/latest/userguide/vpc-endpoints.html#ecr-setting-up-s3-gateway

Source: S3へのEndpointが設定されているVPCでECS(Fargate)を使う場合の注意点 - Qiita

Amazon ECR uses Amazon S3 to store image layers, so a gateway endpoint is required. Containers downloading images from Amazon ECR must access Amazon ECR to retrieve the image manifest and then access Amazon S3 to download the actual image layers.

Source: Amazon ECR インターフェイス VPC エンドポイント (AWS PrivateLink) - Amazon ECR

That’s all from the Gemba, where I resolved the ECR connection error after changing VPC settings with an S3 endpoint on AWS.