Amazon Elastic Container Registry or ECR is one of the services hosted by Amazon Web Services (AWS). ECR provides both private and public repositories for storing container images. It integrates well with AWS CLI to push, pull and manage Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts. Both public ECR and private ECR, provides almost same features. However private ECR, as the name indicates, provides more security features for enterprises as all communication needs to be authenticated first. This is a first one in series of blog posts on the Amazon ECR, where we’ll cover the basics of getting started. In later blog posts, we’ll discuss how to operate and utilize various features in ECR, cover some security and monitoring considerations and some automation as well.
Components of Amazon ECR
Amazon ECR contains the following components:
- Registry – An Amazon ECR registry is provided to each AWS account; you can create image repositories in your registry and store images in them.
- Authorization token – Your client must authenticate to Amazon ECR registries as an AWS user before it can push and pull images.
- Repository – An Amazon ECR image repository contains your Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.
- Repository Policy – Controls access to your repositories and the images within them
- Image – Container images itself
Basic Setup for ECR
Create an IAM User
Like other services in AWS, ECR requires you to authenticate to AWS first, so that it can determine that whether you are authorized to do the actions that you have asked. So the firs step is to create an account that you will use for AWS container management that is separate from your AWS root account. Once its done, sign out and then sign-in as new IAM user by using the following URL:
Setup Access Keys to Configure AWS CLI
From the user settings, go to My Security Credentials, Section Access keys for CLI, SDK, & API access and select Create access key:
Copy the value listed for the access key ID and the secret access key, before you close the credentials pop-up window.
Configure AWS CLI
On the AWS CLI, type
aws configure command. It will ask for access key id and secret, provide the same. Also its a good idea to probably setup default aws region as well.
Basic operations with Elastic Container Registry
Creating an ECR Repository
In its simplest form, we can create an ECR by providing the name of the repo. For example:
aws ecr create-repository --repository-name mgoyal-demo-dev
We can provide more control options like image mutability, scan on push by using additional options as below:
create-repository --repository-name [--tags ] [--image-tag-mutability ] [--image-scanning-configuration ] [--encryption-configuration ] [--cli-input-json | --cli-input-yaml] [--generate-cli-skeleton ]
Once its created, you can go into the AWS portal and review the details. Alternatively, create ECR from portal itself.
Authenticate to ECR
Before we can push images using AWS CLI, we need to authenticate using
ecr-login-password first. This will provide us an authentication token, which we can then pass to
docker login along with ECR URI, username as AWS and region details:
aws ecr get-login-password --region region | docker login --username AWS --password-stdin aws_account_id.dkr.ecr.region.amazonaws.com
Substitute with appropriate values for your IAM user created. Note that above authentication token is valid for only 12 hours per registry.
Tag and Push an Docker Image to ECR
Before you can push the container image to ECR, you need to first tag it with the ECR URI using
docker tag command. You must also have a local container that you want to push. For this blog post’s purpose, we’ll be tagging and pushing default the default Amazon Linux container image (Replace the
repo name in your case):
docker tag amazon:linux2 123412341234.dkr.ecr.ap-south-1.amazonaws.com/mgoyal-demo-dev:amazonlinux
docker push 123412341234.dkr.ecr.ap-south-1.amazonaws.com/mgoyal-demo-dev:amazonlinux
AWS claims to support namespaces on ECR, but it does not work like for other docker registries. ECR doesn’t support namespaces as a hierarchical grouping concept. While ECR has a flat structure, it’s common to use slashes within repository names to organise repositories. For example, to store different container images for different components of an application, you would create two repositories with names:
You could then use this naming convention to write identity-based policies, e.g. IAM group myproj could be granted permissions to resource
Listing Images from ECR
Depending on the size of the image and your Internet connection, the image will be uploaded to ECR, and once ready, you can issue the following command, which displays all the images in the repository:
aws ecr list-images --repository-name mgoyal-demo-dev
Pull Images from ECR
After your image has been pushed to your Amazon ECR repository, you can pull it from other locations. Same as
docker push, we can use
docker pull followed by the image full name:
docker pull 123412341234.dkr.ecr.ap-south-1.amazonaws.com/mgoyal-demo-dev:amazonlinux
Delete Images from ECR
To delete images from ECR, you can do it from the portal. Alternatively, you can do it from command line to delete, multiple images in one go or selected images of a particular tag:
aws ecr batch-delete-image --repository-name mgoyal-demo-dev --image-ids imageTag=amazonlinux
Delete ECR Repository
By default, you cannot delete a repository that contains images; however, the
--force flag allows this. To delete a repository that contains images (and all the images within it), run the following command.
aws ecr delete-repository --repository-name mgoyal-demo-dev --force
The above operations would suffice would be what you’ll be performing most of the time.
In the next few blog posts, we’ll discuss more on the features of ECR such as replication and lifecycle policies etc.