How to authenticate docker in aws ecr?

Hello Everyone

Welcome to CloudAffaire and this is Debjeet.

You can use Amazon ECR credential helper or AWS CLI get-login-password and get-authorization-token commands to authenticate the docker client or API requests in AWS ECR.

Prerequisites:

AWS CLI and Docker installed and configured.

How to authenticate docker in aws ecr?

Using the Amazon ECR credential helper (for docker client):

Amazon ECR provides a Docker credential helper which makes it easier to store and use Docker credentials when pushing and pulling images to Amazon ECR.

Step 1: Install Amazon ECR credential helper:

## ------------------------------------
## Install Amazon ECR credential helper
## ------------------------------------

## Amazon Linux OS
sudo amazon-linux-extras enable docker
sudo yum install amazon-ecr-credential-helper

## MAC OS
brew install docker-credential-helper-ecr

## Ubuntu/Debian OS
sudo apt update
sudo apt install amazon-ecr-credential-helper

## Arch Linux
git clone https://aur.archlinux.org/amazon-ecr-credential-helper.git
cd amazon-ecr-credential-helper
makepkg -si

## RHEL/CentOS OS
wget https://dl.google.com/go/go1.13.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.13.linux-amd64.tar.gz
echo "export PATH=$PATH:/usr/local/go/bin" >> $HOME/.bash_profile
source ~/.bash_profile
go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
cp /root/go/bin/docker-credential-ecr-login /usr/bin

## ------------------------------------

## Install Amazon ECR credential helper

## ------------------------------------

## Amazon Linux OS

sudo amazon-linux-extras enable docker

sudo yum install amazon-ecr-credential-helper

## MAC OS

brew install docker-credential-helper-ecr

## Ubuntu/Debian OS

sudo apt update

sudo apt install amazon-ecr-credential-helper

## Arch Linux

git clone https://aur.archlinux.org/amazon-ecr-credential-helper.git

cd amazon-ecr-credential-helper

makepkg -si

## RHEL/CentOS OS

wget https://dl.google.com/go/go1.13.linux-amd64.tar.gz

tar -C /usr/local -xzf go1.13.linux-amd64.tar.gz

echo "export PATH=$PATH:/usr/local/go/bin" >> $HOME/.bash_profile

source ~/.bash_profile

go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login

cp /root/go/bin/docker-credential-ecr-login /usr/bin

Step 2: Configure Amazon ECR credential helper:

## --------------------------------------
## Configure Amazon ECR credential helper
## --------------------------------------

mkdir ~/.aws/
cat > ~/.aws/credentials << EOF
[default]
region = <aws_region_code>
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>
EOF
## or use aws configure command to autometically create the credential file

mkdir ~/.docker/
cat > ~/.docker/config.json << EOF
{
    "credHelpers": {
        "<aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com": "ecr-login"
    }
}
EOF

## --------------------------------------

## Configure Amazon ECR credential helper

## --------------------------------------

mkdir ~/.aws/

cat > ~/.aws/credentials << EOF

[default]

region =

aws_access_key_id =

aws_secret_access_key =

EOF

## or use aws configure command to autometically create the credential file

mkdir ~/.docker/

cat > ~/.docker/config.json << EOF

{

"credHelpers": {

".dkr.ecr..amazonaws.com": "ecr-login"

}

EOF

Step 3: Perform docker operation in your AWS ECR repository:

## ----------------------------------------
## Tag, Push or Pull docker images from ECR
## ----------------------------------------

## TAG you docker image form ECR private repository
docker tag <docker_image_name>:<image_tag> <aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/<ecr_repository_name>:<tag>

## PUSH a docker image from a private ECR repository
docker push <aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/<ecr_repository_name>:<tag>

## PULL a docker image from a private ECR repository
docker pull <aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/<ecr_repository_name>:<tag>

## ----------------------------------------

## Tag, Push or Pull docker images from ECR

## ----------------------------------------

## TAG you docker image form ECR private repository

docker tag : .dkr.ecr..amazonaws.com/:

## PUSH a docker image from a private ECR repository

docker push .dkr.ecr..amazonaws.com/:

## PULL a docker image from a private ECR repository

docker pull .dkr.ecr..amazonaws.com/:

Using an authorization token (for docker client):

An authorization token’s permission scope matches that of the IAM principal used to retrieve the authentication token. An authentication token is used to access any Amazon ECR registry that your IAM principal has access to and is valid for 12 hours.

Step 1: Get a new authorization token using get-login-password AWS cli command.

## ----------------------------
## Using an authorization token
## ----------------------------

## Authenticate docker using aws ecr get-login-password command
aws ecr get-login-password --region region | \
docker login --username AWS --password-stdin \
<aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com

## ----------------------------

## Using an authorization token

## ----------------------------

## Authenticate docker using aws ecr get-login-password command

aws ecr get-login-password --region region | \

docker login --username AWS --password-stdin \

.dkr.ecr..amazonaws.com

Step 2: Perform docker operation in your AWS ECR repository:

## -----------------------------------
## Push or Pull docker images from ECR
## -----------------------------------

## TAG you docker image form ECR private repository
docker tag <docker_image_name>:<image_tag> <aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/<ecr_repository_name>:<tag>

## PUSH a docker image from a private ECR repository
docker push <aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/<ecr_repository_name>:<tag>

## PULL a docker image from a private ECR repository
docker pull <aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/<ecr_repository_name>:<tag>

## -----------------------------------

## Push or Pull docker images from ECR

## -----------------------------------

## TAG you docker image form ECR private repository

docker tag : .dkr.ecr..amazonaws.com/:

## PUSH a docker image from a private ECR repository

docker push .dkr.ecr..amazonaws.com/:

## PULL a docker image from a private ECR repository

docker pull .dkr.ecr..amazonaws.com/:

Using HTTP API authentication (for docker api):

Amazon ECR supports the Docker Registry HTTP API. However, because Amazon ECR is a private registry, you must provide an authorization token with every HTTP request. You can add an HTTP authorization header using the -H option for curl and pass the authorization token provided by the get-authorization-token AWS CLI command.

Step 1: Get API authorization token using get-authorization-token aws cli command.

## -----------------------------
## Using HTTP API authentication
## -----------------------------

## Retrieve an authorization token using get-authorization-token command
TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')

## -----------------------------

## Using HTTP API authentication

## -----------------------------

## Retrieve an authorization token using get-authorization-token command

TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')

Step 2: Perform docker API action in AWS ECR

## --------------------------------
## API call to ECR using docker API
## --------------------------------

## Perform an API call to ECR using token acquired in previous step
curl -i \
-H "Authorization: Basic $TOKEN" \
https://<aws_account_id>.dkr.ecr.<aws_region_code>.amazonaws.com/v2/amazonlinux/tags/list

## --------------------------------

## API call to ECR using docker API

## --------------------------------

## Perform an API call to ECR using token acquired in previous step

curl -i \

-H "Authorization: Basic $TOKEN" \

https://.dkr.ecr..amazonaws.com/v2/amazonlinux/tags/list

Please refer below link to get more details on Docker API.

https://docs.docker.com/registry/spec/api/

Hope you have enjoyed this article, to get more details on AWS ECR, please follow below link.

https://docs.aws.amazon.com/ecr/index.html

How to authenticate docker in aws ecr?

Prerequisites:

How to authenticate docker in aws ecr?

Using the Amazon ECR credential helper (for docker client):

Step 1: Install Amazon ECR credential helper:

Step 2: Configure Amazon ECR credential helper:

Step 3: Perform docker operation in your AWS ECR repository:

Using an authorization token (for docker client):

Step 1: Get a new authorization token using get-login-password AWS cli command.

Step 2: Perform docker operation in your AWS ECR repository:

Using HTTP API authentication (for docker api):

Step 1: Get API authorization token using get-authorization-token aws cli command.

Step 2: Perform docker API action in AWS ECR

Leave a Reply Cancel reply