Ways to Authenticate for Pull/Push Private Container Images from AWS
There are some ways to authenticate from ECR. What I’ve known so far are, manual with docker login and another one is using credential helper.
To manually login, you could simply run these commands on your device
# this is assuming you're using the default profile or you have exported the AWS_ environment variables
aws ecr get-login-password | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com
# with a different profile
AWS_PROFILE=another aws ecr get-login-password | docker login --username AWS --password-stdin <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com
# do docker stuff
docker pull <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:version
docker push <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:versionYou will have short-lived (12 hours) docker credentials stored in your device. Once it’s expired, you will get a token expired error and you will need to do the same thing again.
Another way is to let a credential helper manage the token for you. First, you need to install this credential helper on your device. The credential helper will allows use to use credentials in:
- The shared credentials file (
~/.aws/credentials) - The
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables - An IAM role for an Amazon ECS task
- An IAM role for Amazon EC2
After you install aws credential helper on your local device, you can update your ~/.docker/config.json with these
{
...
"credHelpers": {
"<AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com": "ecr-login"
},
"credsStore": "ecr-login",
...
}Then you can just directly run
docker pull <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:version
#
docker push <AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com/some/image:versionAnd that’s it, no need to run aws ecr get-login-password every time the token is expired. ecr-login will rotate it for you.
