Amazon ECR (Elastic Container Registry) is a container image registry managed by AWS.
Overview
- ECR provides private/public container image repositories.
- You can integrate ECR with ECS or EKS to pull images.
- It can be secured with resource-based permissions via IAM.
- Supported Formats
- Docker Images
- OCI (Open Container Initiative) Images
- OCI artifacts
Components
- Repository
- Image storage
- Authorization Token
- required to push/pull images to/from the ECR repository
- Repository Polices
- access control to repositories and images
Features
- Image Scanning
- ECR scans images and identifies security vulnerabilities.
- You can set the repository setting to scan images on push.
- Versioning
- Image Tags
- Caching
- You can cache images in the public repository into your private repository.
- Security
- Access is controlled by IAM permissions.
- CI/CD Integration
- Easy integration with other CI/CD Services
- CodeBuild can push the built image to ECR
- ECS and Fargate can pull images from ECR
ECR Cross-Region Replication
ECR private repository supports both cross-region and cross-account replication.
- When you push an image to a repository in one region, the image is replicated into repositories in other Regions.
Lifecycle Policies
- Automatically remove old or unused images based on age or count
- Images are expired within 24 hours after they meet the condition.
- The policy contains one or more rules.
- All rules are evaluated at the same time, then applied based on priority
Filtering on age
{
"rules": [
{
"rulePriority": 1,
"description": "Expire images older than 14 days",
"selection": {
"tagStatus": "tagged",
"tagPatternList": ["prod*"],
"countType": "sinceImagePushed",
"countUnit": "days",
"countNumber": 14
},
"action": {
"type": "expire"
}
}
]
}
Filtering on count
{
"rules": [
{
"rulePriority": 2,
"description": "Keep only one untagged image, expire all others",
"selection": {
"tagStatus": "untagged",
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
}
]
}
Pushing a Docker Image to a ECR Repository
- Authenticate your Docker client to the ECR registry
- Create a repository if it does not exist yet
- Identify the local image to push
- Tag your image with the ECR registry, repository, and optional image tag name
- Push the image using the docker push command
> aws ecr get-login-password --region {region} \
| docker login --username AWS --password-stdin {aws_account_id}.dkr.ecr.{region}.amazonaws.com
> docker images
> docker tag {image_id} {aws_account_id}.dkr.ecr.{region}.amazonaws.com/{repository_name}:tag
> docker push {aws_account_id}.dkr.ecr.{region}.amazonaws.com/{repository_name}:tag
Scriptorium 