What is Amazon ECR (Elastic Container Registry)?
Amazon ECR is a managed container image registry service that is secure, scalable, and reliable. ECR supports public and private repositories and resource-based permissions using IAM, so the specified users or EC2 instances can access your container repositories and images. You can use your preferred CLI to push, pull, and manage Docker images, Open Container Initiative (OCI) images, and OCI-compatible artifacts.
Components of ECR
- Registry: ECR registry is provided to each AWS account, you can create one or more repositories in your registry and store images.
- Authorization token: Authenticate to ECR registries as an AWS user before it can push and pull images
- Repository: ECR repository contains your Docker images, Open Container Initiative (OCI) images, and OCI-compatible artifacts.
- Repository policy: With repository policy, you can control access to your repositories and the images within them with repository policies.
- Images: You can push and pull container images to your repositories. You can use these images locally on your development system, or you can use them in ECS task definitions and EKS pod specifications.
Features of ECR
Lifecycle policies help with managing the lifecycle of the images in your repositories. You define rules that result in the cleaning up of unused images. You can test rules before applying them to your repository.
Image scanning helps in identifying software vulnerabilities in your container images. Each repository can be configured to scan on push. This ensures that each new image pushed to the repository is scanned. You can then retrieve the results of the image scan.
Cross-Region and cross-account replication make it easier for you to have your images where you need them. This is configured as a registry setting and is on a per-Region basis.
Pull through cache rules provide a way to cache repositories in remote public registries in your private ECR registry. Using a pull through cache rule, Amazon ECR will periodically reach out to the remote registry to ensure the cached image in your Amazon ECR private registry is up to date.
How to push the image in ECR
In this article we configure everything through the command line this will help you whenever you want to integrate into other CI/CD tools or do the integration programmatically
Connect the AWS account to CLI
Install the AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
Configure basic settings
Run the aws configure to configure the basic settings and enable the connection between the location computer to AWS cloud
Key ID and access key you will get from under IAM
$ aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]:
Default output format [None]:
Once the connection is ready we can create the repository first
aws ecr create-repository --repository-name <repo Name> --image-scanning-configuration scanOnPush=true --region <region>
Example:
root@MASTER:~# aws ecr create-repository --repository-name cnl --image-scanning-configuration scanOnPush=true --region us-east-1
{
"repository": {
"repositoryArn": "arn:aws:ecr:us-east-1:389837147847:repository/cnl",
"registryId": "389837147847",
"repositoryName": "cnl",
"repositoryUri": "389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl",
"createdAt": "2022-09-21T16:57:57+05:30",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": true
},
"encryptionConfiguration": {
"encryptionType": "AES256"
}
}
}
root@MASTER:~#
How to check the repository details
root@MASTER:~# aws ecr describe-repositories
{
"repositories": [
{
"repositoryArn": "arn:aws:ecr:us-east-1:389837147847:repository/cnl",
"registryId": "389837147847",
"repositoryName": "cnl",
"repositoryUri": "389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl",
"createdAt": "2022-09-21T16:57:57+05:30",
"imageTagMutability": "MUTABLE",
"imageScanningConfiguration": {
"scanOnPush": true
},
"encryptionConfiguration": {
"encryptionType": "AES256"
}
}
]
}
Retrieve an authentication token and authenticate your Docker client to your registry. Use the AWS CLI:
$ aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin <<repo uri>>
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl
How to push the image in ECR
First, we need to create the Docker image then the same images we can push to ECR
Docker image creation you can refer to this git link
After creating the Docker image run the below command for tagging the image
$ docker tag <image name > <repo URL>
docker tag cnl 389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl
Push the image to ECR
$ docker push < Image ID>
root@MASTER:~# docker push 389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl
Using default tag: latest
The push refers to repository [389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl]
7b86011f85c2: Pushed
6f0675f39208: Pushed
05a08104fe16: Pushed
7f5cbd8cc787: Pushed
latest: digest: sha256:6bc7509a2574b0b65daed90ea976cb0ae7427790e43d68bad428b5b4d419eb54 size: 1160
How to verify the image
root@MASTER:~# aws ecr describe-images --repository-name cnl
{
"imageDetails": [
{
"registryId": "389837147847",
"repositoryName": "cnl",
"imageDigest": "sha256:6bc7509a2574b0b65daed90ea976cb0ae7427790e43d68bad428b5b4d419eb54",
"imageTags": [
"latest"
],
"imageSizeInBytes": 79981290,
"imagePushedAt": "2022-09-21T17:41:11+05:30",
"imageScanStatus": {
"status": "COMPLETE",
"description": "The scan was completed successfully."
},
"imageScanFindingsSummary": {
"imageScanCompletedAt": "2022-09-21T17:41:19+05:30",
"vulnerabilitySourceUpdatedAt": "2022-09-21T12:13:11+05:30",
"findingSeverityCounts": {
"MEDIUM": 4,
"INFORMATIONAL": 4,
"LOW": 11
}
},
"imageManifestMediaType": "application/vnd.docker.distribution.manifest.v2+json",
"artifactMediaType": "application/vnd.docker.container.image.v1+json"
}
]
}
How to delete the repository
root@MASTER:~# aws ecr delete-repository --repository-name cnl --force
{
"repository": {
"repositoryArn": "arn:aws:ecr:us-east-1:389837147847:repository/cnl",
"registryId": "389837147847",
"repositoryName": "cnl",
"repositoryUri": "389837147847.dkr.ecr.us-east-1.amazonaws.com/cnl",
"createdAt": "2022-09-21T16:57:57+05:30",
"imageTagMutability": "MUTABLE"
}
}
Hope you got an idea of how to create ECR and how to push the image to the ECR Registry
Thank you!