AWS Elastic Container Registry 101

2022.01.31

AWS launched the AWS ECS service to help developers deploy, maintain and scale an application. AWS ECS lets users define their own task(s) and/or service(s) inside a cluster. The cluster pulls the images, starts them in a container and runs the services. But where do these images come from?

AWS ECR is the service which answers this question, it is a managed container image registry service. It is a fully managed, secure and highly available docker compatible registry service. It supports private docker repos with resource based permissions. You can use CLI of your choice to push, pull and manage docker images. The range of images which can be stored in the ECR is any kind of OCI (Open Container Initiative) compatible image.

Registries and Repositories

These 2 terms will pop up quite frequently due to which I think it’s better to get it out of the way as early as possible. 

Each account has a registry, each registry can contain multiple repositories and each repository can contain multiple images.

Private Registries

Each AWS account is provided with a private repository by default. Each private repository has its own URL of the format https://aws_account_id/dkr.ecr.region.amazonaws.com

One must also authenticate their docker clients with the private registry so that they can use docker commands to push and pull docker images from the repositories of that registry. 

You can create a replica of your private repositories in different regions and also in various accounts by configuring replication of your private registry.

Public Registries

Once you create a public registry, an alias is assigned to it. You can request for a new alias of your choice and if it is available then it will be granted to you. 

Every public registry also has a URL assigned to it. Due to the public nature of this registry, all the repositories which lie under public registry are accessible publicly under the URL https://gallery.ecr.aws/registry_alias/repository_name . This is a part of AWS’ Amazon ECR Public Gallery which is available at https://gallery.ecr.aws.

Permissions in ECR

ECR maintains a repository based permission, this adds 2 levels of permissions to all users of ECR, IAM permissions and repository policies. There can be multiple repositories under a single account, but multiple accounts may have permission to access this repository on multiple different levels.

While IAM permissions are resource specific, ECR’s repository policies help you control the access to only a specific part of the service which is the repository. So if you want a user to access your repository, that user also needs to have the appropriate IAM permissions attached.

 

On a theoretical level, these are the things which I think one needs to know to start on their journey with AWS’ ECR service. I suggest exploring the ECR console to see the options provided and to understand the process of creating and managing a repository and registry.