I spent some of today with EC2 Container Registry following it’s promotion to GA status and it’s clear that it’s far better than what I was using. For $0.07 more per GB-month, you get the same features as any other private registry service:
- no need to run a local registry on every host
- global https access to a highly available registry
- registry browser UI
But you also get IAM permissions based access control!
The docs and AWS console walkthrough are great for getting started, the brief version is:
docker pull permissions
The policy looks like this for the role and user, using awacs and troposphere:
This permits login, pulling images, and browsing the repositories. Since we’re using AWS, command line tools to
docker search are easily within reach
aws ecr describe-repositoriesto view the repos
aws ecr list-images --repository-name <name>to see image:tag availability.
docker push permissions
So far, I’ve simply logged in as a registry administrator (
ecr:*) when needing to push images -
eventually CI will be the only user allowed to assume that role. For now that is:
docker logout https://$acct.dkr.ecr.us-east-1.amazonaws.com
$(aws ecr get-login --region us-east-1 --profile registry-admin).