Pie in the rain

Docker, seamless access to AWS ECR

Paul Beltrani -

Accessing the AWS ECR with docker commands requires authentication. One mechanism to accomplish this
is to do a docker login at regular intervals, e.g.
aws --profile DeployECR ecr get-login-password | docker login --username AWS --password-stdin 496266697631.dkr.ecr.us-east-2.amazonaws.com

Another is to use the Credential Helper mechanism in docker login.
Once setup, this is seamless and removes the need for docker login/logout.

Begin by reading the docs at Amazon ECR Docker Credential Helper
project on GitHub.

Get/Compile the code

git clone https://github.com/awslabs/amazon-ecr-credential-helper.git
cd amazon-ecr-credential-helper
make docker
cp bin/local/docker-credential-ecr-login ~/bin/
chmod 700 ~/bin/docker-credential-ecr-login
cd ..
rm -rf amazon-ecr-credential-helper

Configure Docker to use the helper

~/.docker/config.json

{
  "credHelpers": {
    "public.ecr.aws": "ecr-login",
    "135792468321.dkr.ecr.us-east-2.amazonaws.com": "ecr-login"
  }
}

Configure AWS credentials

~/.aws/credentials

[DeployECR]
region = us-east-2
output = json
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>

Note: If you're using creds from a profile instead of the default creds, you'll have to set the AWS_PROFILE environment variable.
e.g. for the above config, AWS_PROFILE=DeployECR docker pull 135792468321.dkr.ecr.us-east-2.amazonaws.com/mycontainer:latest

One way to do this is to alias the docker command to include setting the profile each time, e.g. in bash and related shells:
alias docker="AWS_PROFILE=DeployECR docker"

If you ever need to run the unaliased version of the command, simply prefix it with a backslash, i.e. \docker pull ...