Bobcares
Client Area
Emergency Support
Amazon Web Services (AWS) | Latest

Update private repository credentials on ECS container agent

by | Aug 31, 2021

Wondering how to update private repository credentials on ECS container agent? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us discuss how we can do this.

How to update private repository credentials on ECS container agent?

You can choose either to supply private repository credentials to the Amazon ECS container agent using either Secrets Manager in your task definition or environment variables.

Today, let us see the steps followed by our Support Techs to perform the task.

Update your private repository credentials with Secrets Manager

1. Firstly, open the Secrets Manager console.

2. Choose your secret, and then choose Retrieve secret value.

3. Then, choose Edit.

4. Update the stored credentials for your private registry, and then choose Save.

To continue, follow the steps in the Test your updated private repository credentials section.

Update your private repository credentials with environment variables

1. Firstly, connect to your container instance.

2. To find out how you’re supplying Docker credentials to your ECS container agent, run the following command:

$ cat /etc/ecs/ecs.config

This command returns the contents of the /etc/ecs/ecs.config file.

If the ECS_ENGINE_AUTH_TYPE variable is set to docker, then you’re directly passing your Docker credentials by plaintext to your ECS container agent.

You should avoid this approach.

Instead, use Secrets Manager, or the dockercfg format approach in the Get a new Docker authentication value section.

If the ECS_ENGINE_AUTH_TYPE variable is set to dockercfg, then you’re passing your Docker credentials by a Docker-generated authentication value generated by the docker login command.

To continue this approach, complete the steps in the Get a new Docker authentication value section.

Get a new Docker authentication value

1. To log in to Docker locally, run the following command, and then enter your new credentials:

$ docker login

2. To concatenate your config.json file, run the following command, and then copy the Docker-generated authentication key value:

$ cat ~/.docker/config.json

3. To update the ECS_ENGINE_AUTH_DATA variable, run the following command:

$ sudo vi /etc/ecs/ecs.config

4. In the vi editor, update the value of the ECS_ENGINE_AUTH_DATA variable to the Docker authentication key value from step 2. For example:

ECS_CLUSTER=TestECSCluster
ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGINE_AUTH_DATA={"https://index.docker.io/v1/":{"auth","a2vpdGhhd3M6UGFzc3dvcmQ="}}

To continue, follow the steps in the Restart your ECS container agent section.

Restart your ECS container agent

To restart your ECS container agent, run either of the following commands based on the Amazon Machine Images (AMIs) that your container instances are running on.

Amazon Linux ECS-optimized AMIs:

$ sudo stop ecs && sudo start ecs

Amazon Linux 2 ECS-optimized AMIs:

$ sudo systemctl restart ecs

To continue, follow the steps in the Test your updated private repository credentials section.

Test your updated private repository credentials

The following steps assume that you’re deploying an updated image across your cluster.

1. Firstly, open the Amazon ECS console.

2. In the navigation pane, choose Clusters, and then select your cluster.

3. Select your service, then choose Update.

4. Next, select the Force new deployment check box.

5. For Minimum healthy percent, enter 50.

6. Complete the remaining steps in the setup wizard, and then choose Update Service.

7. Then, choose View Service.

8. On the Deployments tab, view the new deployment.

Amazon ECS gradually stops tasks under the previous deployment, and then restarts the tasks under the new deployment while attempting a fresh image pull.

9. Choose the Tasks tab, and then check each individual task and its status.

If the task status is set to Running, then the service updated this task successfully without error.

If the task status is set to Running (CannotPullContainerError), then the service updated this task, but there’s an error.

The ECS container agent can’t pull a new container image and is using the old cached image.

Verify that your credentials were updated, and then perform another service deployment update.

[Need help with ECS? We’d be happy to assist you]

Conclusion

In short, we saw how our Support Techs update private repository credentials on ECS container agent.

Related posts:

  1. Allocate memory to tasks in ECS – How to do it
  2. CannotPullContainerError: API error in Amazon ECS
  3. Allow ECS tasks to pull images from ECR image repository
  4. Deregister ECS container instance – How to do it

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Allocate memory to tasks in ECS – How to do it
  2. CannotPullContainerError: API error in Amazon ECS
  3. Allow ECS tasks to pull images from ECR image repository
  4. Deregister ECS container instance – How to do it

Never again lose customers to poor
server speed! Let us help you.

GET STARTED