AWS ECR anonymous pull proxy

One of the nice things of using AWS ECR is that everything is managed for you by AWS (infrastructure, patching, upgrades…) so you don’t need to worry too much about any of those. But you need to accept the limitations and when possible to “fix” them.

One of the features which is not available on AWS ECR is anonymous pull.

There is a container which can be used for this purpose.
Before using the container there are few recommendations:

  • I don’t encourage  anyone to use this container to allow everyone on the internet to pull and push containers on your account. The container should be used with care, maybe just on your internal organisation. AWS keys should have only read access to AWS ECR.
  • to save on the AWS traffic worth using a cache in front of Nginx
  • try to use the container maybe on kubernetes or something which can do health checks

Some scenarios where the AWS ECR proxy container can be used:

  • docker/docker-compose pull. Point your container configs to the proxy.
  • for Jenkins docker slaves. Instead of having your Docker nodes keep on authenticating every 12 hours on AWS to get a new token, use the proxy.
  • kubernetes has it’s own mechanism of managing the credentials for AWS ECR but you will need to always add some extra configs for the pull secrets. The AWS ECR proxy can help with this also.

There should be more things but you get the idea.

How to use the container

The usual process of pulling and pushing container to AWS ECR is to have valid credentials, aws cli installation on your local machine and every 12 hours to generate a token followed by the “docker login….” command.

The command to pull the container will be something like:

docker pull ACCOUNT.dkr.ecr.REGION.amazonaws.com/CONTAINER

If you have an AWS ECR proxy configured you don’t need to worry about the first part, no login is required so the only step you will need to do is to pull your container.

docker pull aws-ecr-proxy.your-domain.org/CONTAINER

All the details on how to use the container can be found on the git repository of the project.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.