AWS Elastic Beanstalk with Amazon ECR Docker image

per https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html#iam-instanceprofile-addperms

  1. open https://console.aws.amazon.com/iam/home#roles

  2. Choose aws-elasticbeanstalk-ec2-role

  3. On the Permissions tab, choose Attach policies.

  4. select AmazonEC2ContainerRegistryReadOnly

  5. Choose Attach policy


I'm not sure where it's written, but I needed to actually add the AmazonEC2ContainerRegistryReadOnly policy to aws-elasticbeanstalk-ec2-role. AmazonEC2ContainerRegistryReadOnly contains the GetAuthorizationToken action.