Coder.comC
Coder.com10mo ago
12 replies
David

EKS/ECR envbuilder layer cache

I'm trying to setup devcontainer layer caching. I started out with the aws-devcontainer starter template, and I have a repo in ECR which I have filled in to the "cache_repo" variable. But when I start the workspace, I see the following:

Failed to find cached image in repository "[aws-acct-id].dkr.ecr.us-west-2.amazonaws.com/envbuilder-cache". It will be rebuilt in the next apply. Error: failed to fetch the envbuilder binary from the builder image: check remote image: check remote image: GET https://[aws-acct-id].dkr.ecr.us-west-2.amazonaws.com/v2/custom-envbuilder/manifests/latest: unexpected status code 401 Unauthorized: Not Authorized


As this is coming from terraform, this is running in the coder pod which is running with the "coder" service account. I have a pod identity association that should be giving this service account access to ECR, with full read access and write to the envbuilder-cache repo.

I had a hypothesis that the pod identity association was not sufficient to access ECR, only to retrieve credentials. So I adjusted the template to add a data "aws_ecr_authorization_token" and to use that to render a docker_config_base64 for the "envbuilder_cached_image":

I can see with coder state pull that it is getting an authorization token. Yet the 401 error persists.

Anything I should be checking?
Was this page helpful?