Exposing Private ECR Images to External Users

Amazon's Elastic Container Repository (ECR) allows you to push and pull images to a private repository inside your AWS account. This is extremely useful for private images or for integrating with Amazon's CI/CD pipeline tools.

The exercise was configuring an ECR repository to allow external pull requests from known users. The business case is that a customer purchases software, and you want to give them access to a private container.

ECR provides some interesting capabilities for managing this workflow. ECR requires both the AWS CLI and Docker to be installed on a machine.

Create an Authentication Policy

First there needs to be a policy to allow the user to authenticate with ECR and retrieve the login information that is needed by docker.

Create an IAM Policy called AmazonEC2ContainerRegistryLogin and grant it these policy rights:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

When assigned, the above policy will allow a user to use the ecr:GetAuthorizationToken resource. This is used by the aws ecr get-login AWS CLI method to retrive the docker login credentials, which will be shown below.

Next, is creating an IAM User that has this policy applied.

Create the IAM User

Create an IAM user inside your account. Give them programmatic access so that we can later use the aws erc get-login command for this user.

Create IAM User

When assigning them permissions, add the Policy that was just created to this user.

This will provide your user with AWS Access Keys that can be used by the CLI tool.

Set Repository Permissions

This assumes that a repository was previously created. The final step in the configuration process is adding the user to your Repository permissions.

To do this, access your Repository and then click the Permissions tab.

Add a new permissions statement by adding specific users that you want to grant pull access for.

Then grant them the pull actions.

Pulling ECR Images

With the AWS CLI installed and the Access Tokens from the user creation you can run the following on a remote machine:

$(aws ecr get-login)

This command will automatically configure docker to login use your IAM user as the credentials for accessing the repository.

From there, you can just issue

docker pull <repository_url>  
comments powered by Disqus