0
0
AWScloud~5 mins

ECR for container image registry in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Storing container images safely is important so you can use them anytime. Amazon Elastic Container Registry (ECR) is a service that keeps your container images in one place, making it easy to manage and use them with your apps.
When you want to store your app's container images close to your AWS services for faster deployment.
When you need a secure place to keep container images with controlled access.
When you want to share container images easily between your team members or AWS accounts.
When you want to automate container image storage as part of your build and deploy process.
When you want to avoid managing your own container registry infrastructure.
Config File - repository-policy.json
repository-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPushPull",
      "Effect": "Allow",
      "Principal": {"AWS": "*"},
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload"
      ]
    }
  ]
}

This JSON file defines a policy for the ECR repository.

Version: The policy language version.

Statement: The rules for who can do what.

Effect: Allows the actions listed.

Principal: "*" means anyone with AWS credentials can push and pull images.

Action: Lists the permissions needed to upload and download container images.

Commands
This command creates a new container image repository named 'my-app-repo' in the US East (N. Virginia) region.
Terminal
aws ecr create-repository --repository-name my-app-repo --region us-east-1
Expected OutputExpected
{ "repository": { "repositoryArn": "arn:aws:ecr:us-east-1:123456789012:repository/my-app-repo", "registryId": "123456789012", "repositoryName": "my-app-repo", "repositoryUri": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app-repo", "createdAt": "2024-06-01T12:00:00Z", "imageTagMutability": "MUTABLE", "imageScanningConfiguration": { "scanOnPush": false } } }
--repository-name - Sets the name of the new ECR repository.
--region - Specifies the AWS region where the repository is created.
This command logs your Docker client into the ECR registry using a temporary password, so you can push and pull images securely.
Terminal
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com
Expected OutputExpected
Login Succeeded
--region - Specifies the AWS region for the ECR registry.
This command tags your local Docker image 'my-app:latest' with the full ECR repository URI so it can be pushed to ECR.
Terminal
docker tag my-app:latest 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app-repo:latest
Expected OutputExpected
No output (command runs silently)
This command uploads your tagged Docker image to the ECR repository so it can be used by AWS services.
Terminal
docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app-repo:latest
Expected OutputExpected
The push refers to repository [123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app-repo] latest: digest: sha256:abcdef1234567890 size: 1234
This command checks the details of the 'my-app-repo' repository to confirm it exists and see its settings.
Terminal
aws ecr describe-repositories --repository-names my-app-repo --region us-east-1
Expected OutputExpected
{ "repositories": [ { "repositoryArn": "arn:aws:ecr:us-east-1:123456789012:repository/my-app-repo", "registryId": "123456789012", "repositoryName": "my-app-repo", "repositoryUri": "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app-repo", "createdAt": "2024-06-01T12:00:00Z", "imageTagMutability": "MUTABLE", "imageScanningConfiguration": { "scanOnPush": false } } ] }
--repository-names - Filters the output to show only the specified repository.
--region - Specifies the AWS region of the repository.
Key Concept

If you remember nothing else from this pattern, remember: ECR stores your container images securely and lets you push and pull them using Docker commands after logging in.

Common Mistakes
Trying to push images without logging into ECR first.
Docker will reject the push because it does not have permission to access the ECR registry.
Always run the AWS login command to authenticate Docker before pushing images.
Using the wrong repository URI when tagging the image.
Docker will push the image to a non-existent or wrong repository, causing errors or confusion.
Use the exact repository URI returned by the create-repository command when tagging images.
Not specifying the AWS region in commands.
Commands may fail or target the wrong region, causing resource not found errors.
Always include the --region flag with the correct AWS region.
Summary
Create an ECR repository to store your container images securely.
Log in to ECR using AWS CLI to allow Docker to push and pull images.
Tag your local Docker image with the ECR repository URI before pushing.
Push the tagged image to ECR so it can be used by AWS services.
Verify the repository details to confirm your setup.