Working with Elastic Container Registry (ECR) – Covering Basics

Amazon Elastic Container Registry or ECR is one of the services hosted by Amazon Web Services (AWS). ECR provides both private and public repositories for storing container images. It integrates well with AWS CLI to push, pull and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. Both public ECR and private ECR, provides almost same features. However private ECR, as the name indicates, provides more security features for enterprises as all communication needs to be authenticated first. This is a first one in series of blog posts on the Amazon ECR, where we’ll cover the basics of getting started. In later blog posts, we’ll discuss how to operate and utilize various features in ECR, cover some security and monitoring considerations and some automation as well.

Components of Amazon ECR

Amazon ECR contains the following components:

  • Registry – An Amazon ECR registry is provided to each AWS account; you can create image repositories in your registry and store images in them.
  • Authorization token – Your client must authenticate to Amazon ECR registries as an AWS user before it can push and pull images.
  • Repository – An Amazon ECR image repository contains your Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.
  • Repository Policy – Controls access to your repositories and the images within them
  • Image – Container images itself

Basic Setup for ECR

Create an IAM User

Like other services in AWS, ECR requires you to authenticate to AWS first, so that it can determine that whether you are authorized to do the actions that you have asked. So the firs step is to create an account that you will use for AWS container management that is separate from your AWS root account. Once its done, sign out and then sign-in as new IAM user by using the following URL:

https://your_aws_account_id.signin.aws.amazon.com/console/

Setup Access Keys to Configure AWS CLI

From the user settings, go to My Security Credentials, Section Access keys for CLI, SDK, & API access and select Create access key:

Copy the value listed for the access key ID and the secret access key, before you close the credentials pop-up window.

Configure AWS CLI

On the AWS CLI, type aws configure command. It will ask for access key id and secret, provide the same. Also its a good idea to probably setup default aws region as well.

Basic operations with Elastic Container Registry

Creating an ECR Repository

In its simplest form, we can create an ECR by providing the name of the repo. For example:

aws ecr create-repository --repository-name mgoyal-demo-dev

We can provide more control options like image mutability, scan on push by using additional options as below:

create-repository
    --repository-name 
    [--tags ]
    [--image-tag-mutability ]
    [--image-scanning-configuration ]
    [--encryption-configuration ]
    [--cli-input-json | --cli-input-yaml]
    [--generate-cli-skeleton ]

Once its created, you can go into the AWS portal and review the details. Alternatively, create ECR from portal itself.

Authenticate to ECR

Before we can push images using AWS CLI, we need to authenticate using ecr-login-password first. This will provide us an authentication token, which we can then pass to docker login along with ECR URI, username as AWS and region details:

aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com

Substitute with appropriate values for your IAM user created. Note that above authentication token is valid for only 12 hours per registry.

Tag and Push an Docker Image to ECR

Before you can push the container image to ECR, you need to first tag it with the ECR URI using docker tag command. You must also have a local container that you want to push. For this blog post’s purpose, we’ll be tagging and pushing default the default Amazon Linux container image (Replace the aws_account_id and repo name in your case):

docker tag amazon:linux2 123412341234.dkr.ecr.ap-south-1.amazonaws.com/mgoyal-demo-dev:amazonlinux
docker push 123412341234.dkr.ecr.ap-south-1.amazonaws.com/mgoyal-demo-dev:amazonlinux

AWS claims to support namespaces on ECR, but it does not work like for other docker registries. ECR doesn’t support namespaces as a hierarchical grouping concept. While ECR has a flat structure, it’s common to use slashes within repository names to organise repositories. For example, to store different container images for different components of an application, you would create two repositories with names:

mycompany/myproj/image-one
mycompany/myproj/image-two

You could then use this naming convention to write identity-based policies, e.g. IAM group myproj could be granted permissions to resource arn:aws:ecr:us-east-1:123412341234:repository/mycompany/myproj/*.

Listing Images from ECR

Depending on the size of the image and your Internet connection, the image will be uploaded to ECR, and once ready, you can issue the following command, which displays all the images in the repository:

aws ecr list-images --repository-name mgoyal-demo-dev

Pull Images from ECR

After your image has been pushed to your Amazon ECR repository, you can pull it from other locations. Same as docker push, we can use docker pull followed by the image full name:

docker pull 123412341234.dkr.ecr.ap-south-1.amazonaws.com/mgoyal-demo-dev:amazonlinux

Delete Images from ECR

To delete images from ECR, you can do it from the portal. Alternatively, you can do it from command line to delete, multiple images in one go or selected images of a particular tag:

aws ecr batch-delete-image --repository-name mgoyal-demo-dev --image-ids imageTag=amazonlinux

Delete ECR Repository

By default, you cannot delete a repository that contains images; however, the --force flag allows this. To delete a repository that contains images (and all the images within it), run the following command.

aws ecr delete-repository --repository-name mgoyal-demo-dev --force

The above operations would suffice would be what you’ll be performing most of the time.

In the next few blog posts, we’ll discuss more on the features of ECR such as replication and lifecycle policies etc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s