Description
Problem
When using the new ECR endpoints ( like _accountid_.dkr-ecr._region_.on.aws ) to pull an image to an ECS Task running on Fargate instead of the old style _acountid_.dkr.ecr._region_.amazonaws.com the authentication against the registry is not attemped and the deployment fails.
The Task Execution Role has the AWS managed Policy AmazonECSTaskExecutionRolePolicy attached to it, which grant´s image/container pull access to any ECR registry ("Resource": "*")
I suspect ECS has a fixed list of Endpoint Patterns which are expected to be ECR registries, however the newer style pattern is not yet added?.
Expectation
ECS should use the Roles given to it in the Task Execution role when pulling images from a ECR registry, even if a new style Endpoint URL is used.
CannotPullContainerError: pull image manifest has been retried 1 time(s): failed to resolve ref _accountid_.dkr-ecr._region_.on.aws/_myimage_:_mytag_: pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials
Announcement for new ipv6 endpoints: https://aws.amazon.com/about-aws/whats-new/2025/05/amazon-ecr-support-ipv6/
Documentation: https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-requests.html