dockeramazon-ecr

Pushing an image to ECR, getting "Retrying in ... seconds"

I recently created a new repository in AWS ECR, and I'm attempting to push an image. I'm copy/pasting the directions provided via the "View push commands" button on the repository page. I'll copy those here for reference:

  1. aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-west-2.amazonaws.com

("Login succeeded")

  1. docker build -t myorg/myapp .

  2. docker tag myorg/myapp:latest 123456789.dkr.ecr.us-west-2.amazonaws.com/myorg/myapp:latest

  3. docker push 123456789.dkr.ecr.us-west-2.amazonaws.com/myorg/myapp:latest

However, when I get to the docker push step, I see:

> docker push 123456789.dkr.ecr.us-west-2.amazonaws.com/myorg/myapp:latest
The push refers to repository [123456789.dkr.ecr.us-west-2.amazonaws.com/myorg/myapp]

a53c8ed5f326: Retrying in 1 second 
78e16537476e: Retrying in 1 second 
b7e38d172e62: Retrying in 1 second 
f1ff72b2b1ca: Retrying in 1 second 
33b67aceeff0: Retrying in 1 second 
c3a550784113: Waiting 
83fc4b4db427: Waiting 
e8ade0d39f19: Waiting 
487d5f9ec63f: Waiting 
b24e42eb9639: Waiting 
9262398ff7bf: Waiting 
804aae047b71: Waiting 
5d33f5d87bf5: Waiting 
4e38024e7e09: Waiting
EOF

I'm wondering if this has something to do with the permissions/policies associated with this repository. Right now there are no statements attached to this repository. Is that the missing part? If so, what would that statement look like? I've tried this, but it had no effect:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowPutImage",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:root"
      },
      "Action": "ecr:PutImage"
    }
  ]
}

Bonus Points: I eventually want to use this in a CDK CodeBuildAction. I was getting the same error as above, so I check to see if I was getting the same result in my local terminal, which I am. So if the policy statement needs to be different for use in the CDK CodeBuildAction those details would be appreciated as well.

Thank you in advance for and advice.

Solution

  • I was having the same problem when trying to upload the image manually using the AWS and Docker CLI. I was able to fix it by going into ECR -> Repositories -> Permissions then adding a new policy statement with principal:* and the following actions:

    "ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"

    Be sure to add more restrictive principals. I was just trying to see if permissions were the problem in this case and sure enough they were.