Getting Started With AWS Elastic Container Registry
The AWS Elastic Container Registry (ECR) can be thought of as an alternative to running your own private docker registry, except that with this, you create a "repository" (not a "registry") for each of your codebases/images, rather than running one Registry for all of your docker builds. This fact, combined with the fact that there are very few stock IAM policies for writing to the ECR, makes me think that instead of being an "alternative" to a docker registry, this is more aimed at just being a piece attached to AWS code deploy, where it will automatically set up somewhere to build/push to, and you only ever interact with reading from the repositories AWS creates for you.
Prerequisites
- You will need to have installed the AWS CLI tool and configured it with your AWS key and secret.
Steps
When trying to open the elastic container registry through searching all services, one has to type "elastic container..." instead of just ECR.
When using this service for the first time, you will be prompted for creating a new repository as shown below. You can always get to this screen later by clicking a button to create a new repository.
- Fill in a name for your repository (you probably want this to be the same as your codebase's "docker image name".
- You can enable automatic scanning when images are pushed to the repository.
- If you want to, you can use the AWS KMS to encrypt the images (in order to use your own custom key), but even if you don't use this, your images are still encrypted.
Once you have chosen your settings, click Create repository.
You will now see your repository in the list when you go to the Elastic container registry service.
If you click on the name of the repository (registry), you will be shown the images that are in that repository.
Get Login Credentials
Before we can push our Docker images to our registry, we are going to need to know the credentials to provide the docker login command.
Click on the View push commands button.
For the next steps, I needed to ensure I had IAM user credentials that had permissions to do everything I needed. A lot of the pre-defined policies didn't appear to have write access to the registry, so I ended up making my own as shown below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}
]
}
With a little more effort, you can lock it down to only allow access from specific IP addresses, or to specific repositories, which I would recommend.
Copy the command from the first line and execute this in your terminal to get the authentication credentials:
You will now be able to push images to the registry. To test this, we can pull the ubuntu image, re-tag it to our repsitory, and push it like so.
docker pull ubuntu
docker tag ubuntu xxxxxxxxxx.dkr.ecr.eu-west-2.amazonaws.com/programster:latest
docker push xxxxxxxxxx.dkr.ecr.eu-west-2.amazonaws.com/programster:latest
You will see the image get pushed up, and then it will appear in your repositories list of images:
You will now be able to pull that image from other servers that have been granted the login credentials (through docker-login). E.g.
docker pull xxxxxxxxxx.dkr.ecr.eu-west-2.amazonaws.com/programster:latest
First published: 27th September 2020
