Amazon ECR
Amazon Elastic Container Registry (Amazon ECR) is a fully-managed Docker container registry that helps developers to store, manage, and deploy Docker container images, and it is secure, scalable, and reliable. Amazon ECR is integrated with Amazon ECS, which allows AWS customers to store, run, and manage container images for applications running on Amazon ECS.
Amazon ECR enables private Docker repositories with resource-based permissions using AWS IAM so that specific users or Amazon EC2 instances can access repositories and images.
Amazon ECR hosts clients images in a highly available and scalable architecture, allowing them to deploy containers for their applications.
Amazon ECR transfers container images over HTTPS and automatically encrypts those images at rest.
Table of Contents
Amazon Elastic Container Registry Features
- Amazon ECR supports Docker Registry HTTP API V2, which allows clients to use Docker CLI commands or any preferred Docker tools to interact with Amazon ECR.
- Docker is a software platform that allows customers to build, test, and deploy applications quickly.
- Docker packages software into standardized units called containers that have everything the software needs to run including libraries, system tools, code, and runtime.
- Using Docker, customers can quickly deploy and scale applications into any environment and their code will run smoothly.
- AWS Marketplace for Containers enables customers to find container products in AWS Marketplace and the Amazon Elastic Container Service (Amazon ECS) console. They can deploy container products from AWS Marketplace on Amazon Container Services such as Amazon ECS, Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate.
- Customers can find software-as-a-service (SaaS) products that help manage, monitor and protect your container applications.
With the new software delivery option in AWS Marketplace, customers can find free, bring-your-own-license (BYOL), and paid container products with both fixed monthly and usage-based pricing. - Amazon ECR automatically encrypts images at rest using S3 server side encryption and transfers customers container images over HTTPS. Customers can configure policies to manage permissions and control access to their images using AWS Identity and Access Management (IAM) users and roles.
- The ECR automatically encrypts images at rest using Amazon S3 server-side encryption.
- ECR stores customers container images in Amazon S3, then the images redundantly stored across multiple facilities and multiple devices in each facility.
- ECR supports the ability to define and organize repositories in clients registry using namespaces. Which allows them to organize the repositories based on their team’s existing workflows.
- Customers can set which API actions another user may perform on their repository including create, list, describe, delete, and get) through resource-level policies.
- Through IAM customers can define policies to allow users within the same AWS account or other accounts to access your container images.
- AWS Container Competency Partners have a technology product or solution on AWS that offers support to run workloads on containers. The product or solution integrates with AWS services in a way that improves the AWS customer’s ability to run workloads using containers on AWS.
- Customers can integrate Amazon ECR into their continuous integration and delivery process allowing them to maintain the existing development workflow.
Amazon ECR is integrated with third-party developer tools. AWS customers can integrate Amazon ECR into their continuous integration and delivery process allowing them to maintain their existing development workflow. This third party devlopers include: - Docker Enterprise: in collaboration with AWS, it has the ability to deliver a highly reliable and cost efficient way to quickly deploy, scale and manage business critical applications with containerization and cloud.
- HashiCorp: HashiCorp Cloud Infrastructure Automation Consistent workflows to provision, secure, connect, and run any infrastructure for any application.
Others include D2iQ: Mesosphere, Pivotal Cloud Foundry, Red Hat OpenShift, Spotinst Elastigroup, etc
ECR Components
Authorization Tocken
- Customers Docker client need authenticate to Amazon ECR registries as an AWS user in order to push and pull images.
- An authorization token represents your IAM authentication credentials and can be used to access any Amazon ECR registry that your IAM principal has access to.
- An authorization token’s permission scope matches that of the IAM principal used to retrieve the authentication token.
- An authentication token is used to access any Amazon ECR registry that your IAM principal has access to and is valid for 12 hours.
- The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. The AWS CLI offers an get-login-password command that simplifies the login process.
Repository Policy
- Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let you specify which IAM users or roles have access to a repository and what actions they can perform on it. Customers can control access to the repositories and the images within these repository policies.
- Amazon ECR repository policies are a subset of IAM policies that are scoped for, and specifically used for, controlling access to individual Amazon ECR repositories.
- IAM policies are generally used to apply permissions for the entire Amazon ECR service but can also be used to control access to specific resources as well.
Registry
- ECR registries host customers container images in a highly available and scalable architecture, allowing them to deploy containers to their applications. By default An Amazon ECR registry is provided to each AWS account; so that customers can create image repositories in the registry and store images in them.
- It can be used as a registry to manage image repositories consisting of Docker and Open Container Initiative (OCI) images.
- Using AWS Management Console, AWS CLI, or the AWS SDKs customers can create and manage repositories. They can use those methods to perform some actions on images, including listing or deleting the images.
- Amazon ECR provides a Docker credential helper which allows to store and use Docker credentials when pushing and pulling images to Amazon ECR.
Repository
- An Amazon ECR image repository contains customers Docker or Open Container Initiative (OCI) images. ECR provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. Amazon ECR also integrates with the Docker CLI allowing customers to push and pull images from your development environments to your repositories.
- Amazon ECR uses resource-based permissions to control access to repositories. Resource-based permissions let customers specify which IAM users or roles have access to a repository and what actions they can perform on it. By default, only the repository owner has access to a repository.
- Repositories can be controlled with both IAM user access policies and repository policies.
- Repository names can support namespaces, which you can use to group similar repositories