Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction 
2.
Setting Up with Amazon Elastic Container Registry(ECR)
3.
How Amazon Elastic Container Registry(ECR) works
4.
Components of Amazon Elastic Container Registry(ECR)
5.
Operations performed by Amazon ECR
5.1.
Pushing a Docker image
5.2.
Viewing image details 
5.3.
Pulling an image
5.4.
Using pull through cache rules
5.5.
Deleting an image
5.6.
Retagging an image 
5.7.
Private image replication 
5.8.
Lifecycle policies 
5.9.
Image tag mutability 
5.10.
Image scanning 
5.11.
Container image manifest formats
5.12.
Using Amazon ECR Images with Amazon ECS
5.13.
Using Amazon ECR Images with Amazon EKS
5.14.
Amazon Linux container image
6.
Amazon ECR private repositories
6.1.
Creating a private repository
6.2.
Viewing private repository details
6.3.
Editing a private repository
6.4.
Deleting a private repository
7.
Benefits of Amazon Elastic Container Registry(ECR)
8.
Frequently Asked Questions
8.1.
What is the pricing for Amazon ECR?
8.2.
What is the difference between Amazon ECR public and private repositories?
8.3.
Does the Amazon ECR public gallery provide AWS-published images?
8.4.
Does Amazon ECR work with Amazon ECS?
9.
Conclusion 
Last Updated: Jun 28, 2024
Easy

Amazon Elastic Container Registry(ECR)

Author Shivani Singh
0 upvote
Master Python: Predicting weather forecasts
Speaker
Ashwin Goyal
Product Manager @

Introduction 

AWS's Amazon Elastic Container Registry (Amazon ECR) stores, manages, and configures Docker images, which are organized clusters of Amazon EC2 instances. All AWS developers can save configuration settings and immediately move them into a production system using Amazon ECR, which reduces overall workloads. AWS Elastic Container Registry (ECR) is a container registry that is fully managed by AWS. AWS ECR integrates natively with AWS EKS, AWS ECS, AWS Lambda, and the Docker CLI, making development and production workflows easier.

Source: Amazon ECR

Amazon ECR offers a command-line interface (CLI) and APIs for managing repositories and integrated services like Amazon Elastic Container Service (Amazon ECS), which sets up and manages the infrastructure for these containers. The main difference between Amazon ECR and Amazon ECS is that while ECR provides a repository for all code that has been published and packaged as a Docker image, ECS actively uses these files in application deployment. To push or pull docker containers to or from an AWS region, a programmer can use the Docker command-line interface. Amazon ECR can be used in any environment that has a Docker container service, including on-premises environments. For multi-container environments, AWS Elastic Beanstalk also supports Amazon ECR.

Setting Up with Amazon Elastic Container Registry(ECR)

1. Sign up for Amazon Web Services (AWS). If you already have an AWS account, skip to the next step. Create an AWS account if you don't already have one. You will receive an AWS account number as a result of this procedure. Keep that in mind for the future.

2. Create a user in IAM. The IAM console is used for this. To make an administrator user for yourself and add it to an administrators group (console), do the following:

  • Select Root user and enter your AWS account email address to log in to the IAM console as the account owner. Enter your password on the next page.
  • Select Users from the navigation pane, then Add Users
  • Enter Administrator as the user name.
  • Select AWS Management Console access from the drop-down menu. Then, under Custom password, type your new password in the text box.
  • When a new user first signs in, AWS requires them to create a new password. You can uncheck the box next to To allow a new user to reset their password after signing in, the user must create a new password at the next sign-in.
  • Next, select Permissions.
  • Select Add user to a group under Set permissions.
  • Select the option to create a group.
  • In the Create group dialogue box, type Administrators in the Group name field.
  • To filter the policies, select Filter policies, then AWS managed - job function.
  • Select the AdministratorAccess check box in the policy list. Then select Create group from the drop-down menu.
  • Return to the list of groups and check the box for your new group. If necessary, choose Refresh to see the group in the list.
  • Tags are the next option.
  • Attach tags as key-value pairs to the user to add metadata. See Tagging IAM Entities in the IAM User Guide for more information on using tags in IAM.
  • Next, select: Review the list of group memberships that should be assigned to the new user. Choose to Create a user when you're ready to move forward.


3. You can repeat this process to add more groups and users, as well as grant access to your AWS account resources to your users. Sign out of the AWS console and use the following URL to sign in as this new IAM user,  where your_aws_account_id is your AWS account number without the hyphens.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

How Amazon Elastic Container Registry(ECR) works

The Amazon Elastic Container Registry generates and packages code as a Docker image.

It then compresses, encrypts, and manages image access, as well as image lifecycles, including all tags and versions.

Finally, the Amazon ECS retrieves the required Docker images from the ECR for use in-app deployment and continues to manage containers across all platforms, including Amazon Elastic Kubernetes Service (Amazon EKS), AWS cloud, and on-premise networks.

Source: Amazon ECR working

Besides that, Amazon ECR uses Amazon Simple Storage Service (Amazon S3) server-side encryption to encrypt container images at rest, and administrators can use AWS Identity and Access Management (AWS IAM) to create access restrictions for each repository. Container images are saved in S3 by the container registry for superior efficiency.

Components of Amazon Elastic Container Registry(ECR)

  • Docker imagesDocker images are a type of container. That's the file that a Docker container uses to execute code.
  • Repository: The Amazon ECR repository holds the Docker images. Images can be pushed and pulled from the repository by programmers.
  • Repository policy: These policies are used by developers to control access to repositories and the pictures enclosed within them.
  • Registry: Amazon ECR is available to all AWS accounts, making it possible to create repositories and store images in them.
  • Authorization token: The Docker client must be acknowledged as an AWS account holder before it can push and pull images.
     

Operations performed by Amazon ECR

The various operations like pushing a Docker image, viewing the image details, deleting an image, retagging an image, etc. are some of the operations that can be done. Everything is discussed below. 
 

Source: AWS

Pushing a Docker image

The docker push command can be used to push your Docker containers to an Amazon ECR repository. Amazon ECR also allows you to create and push Docker express lists, which are used to create multi-architecture images. Each image in a manifest list must have already been pushed to your repository.

Pushing a Docker image to an Amazon ECR repository

  1. Log in to the Amazon ECR registry where you plan to push your image with your Docker client. For each registry that is used, authentication tokens must be obtained, and the tokens are genuine for 12 hours.
  2. If your picture repository does not yet appear in the registry to which you intend to push, create it.
  3. Determine which local image to push. To list the container, use the docker images command.
  4. Use the Amazon ECR registry, repository, and optional image tag name combination to tag your image. The registry format is aws_account_id.dkr.ecr.region.amazonaws.com.
  5. Use the docker push command to push the image: docker push aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:tag
     

Source: Build and push docker image AWS ECR using GitHub actions

Viewing image details 

You can view an image's details in the AWS Management Console after you've pushed it to your repository. The following information is included: 

  • Image URI 
  • Image tags
  • Artifact media type
  • Image manifest type
  • Scanning status
  • The size of the image in MB
  • When the image was pushed to the repository
  • The replication status

 

To view image details, click here (AWS Management Console):

  1. Go to https://console.aws.amazon.com/ecr/repositories to reach the Amazon ECR console.
  2. Select the Region that holds the repository comprising your image from the navigation bar.
  3. Select Repositories from the navigation pane.
  4. Select the repository to display.
  5. On the Repositories: repository_name page, choose the image to view the details.

Pulling an image

The docker pull command to pull your image to your local environment.

To retrieve a Docker image out of an Amazon ECR repository.

  1. Authenticate your Docker client with the Amazon ECR registry from which you want to pull your image. For each registry that is used, authentication tokens must be obtained, and the tokens are genuine for 12 hours.
  2. Select the image to be pulled.
  3. Use the AWS ecr describe-images command to describe the images in a repository. aws ecr describe-images --repository-name
  4. By using the docker pull command, pull the image. To pull by tag, the image name format must be registry/repository[:tag]; to pull by digest, the image name format should be registry/repository[@digest].
     

Source: Docker image

Using pull through cache rules

Pull limits and costs are associated with Docker Hub, Quay, and other registry providers. Trying to run large builds (or many small builds on a regular basis) may result in costs, rate limiting, or both. The use of a "pull-through" cache reduces network traffic while avoiding the limits placed by registry providers. 

A registry mirror with no images is regarded as a pull-through cache. When your client searches the registry for an image, the registry will either: 

Provide an existing response from its cache, avoiding egress (or a pull) from your registry, or

Alternatively, you can have the image and its metadata pulled from the registry on your behalf and cached for later use.

Deleting an image

After an image has completed its task, you can delete it.

To remove an image (AWS Management Console)

  1. Go to https://console.aws.amazon.com/ecr/repositories to access the Amazon ECR console.
  2. From the navigation bar, select the Region containing the image to be deleted.
  3. Select Repositories from the navigation pane.
  4. On the Repositories page, select the repository containing the image to be deleted.
  5. On the Repositories: repository_name page, click Delete in the box to the left of the image you want to delete.
  6. In the Delete image(s) dialogue box, confirm that the images you want to delete should be deleted and click Delete.

Retagging an image 

To retag an existing image with Docker Image Manifest V2 Schema 2 images, you can use —image-tag option of the put-image command. 

Using the AWS CLI to retag an image

  1. Run the batch-get-image command to obtain the image manifest for the image to be retagged and save it to a file.
  2. Use the —image-tag option of the put-image command to add a new tag to the image manifest in Amazon ECR.
  3. Check to see if your new image tag is tied to your image.

Private image replication 

Amazon ECR configures private image replication at the registry level using registry settings. A private registry hosted by Amazon ECR can be configured for cross-region or cross-account replication. Each Region has its own replication configuration for a private registry. The following section goes into greater detail about the replication methods that are supported.

Cross-region replication: Enabling cross-Region replication for your registry creates replicas of the repositories in one or more desired location Regions. Only images that are pushed to a repository ever since cross-Region replication has been configured are copied.

Cross-account replication: Enabling cross-account replication for your registry creates replicas of the repositories in the location account and Regions you specify. To enable cross-account replication, the destination account must set up a registry permissions policy that allows replication from your registry.

Lifecycle policies 

AWS offers ECR Lifecycle policies, which allow users to set validity periods for their images. This means that you can automate the deletion of ECR images that you no longer require. Many other AWS services, such as S3 buckets, include lifecycle policies.

use cases: There are numerous use cases for applying a lifecycle policy to ECR containers:

  1. Create more space: Both free-tier users will receive 50 GB of always-free storage for their public repositories per month. However, for private repositories, only have entry to 500MB of disk space per month.
  2. Lower storage costs: The cost of storage above these free-tier limits For data stored in both private and public repositories, storage costs $0.10 per GB per month.
     

The above picture depicts the workflow of the lifecycle policy

  1. Establish one or maybe more test rules.
  2. Save all the test rules before running the preview.
  3. The lifecycle policy evaluator would go through all rules and note which images each rule affects.
  4. Based on rule priority, the lifecycle policy evaluator then applies the rules and displays which images in the repository are set to expire.
  5. Examine the test results to ensure that the images marked as expired are the ones you intended.
  6. Use the test rules as the repository's lifecycle policy.
  7. After the lifecycle policy is developed, the images that are affected expire within 24 hours.

Image tag mutability 

Immutable tags are supported by Amazon ECR, which prevents image tags from becoming overridden. Previously, ECR tags could be overwritten; however, this could be avoided by mandating users to authenticate an image using a naming convention.

Tag immutability allows users to rely on an image's descriptive tags as a mechanism for tracking and uniquely identifying images. By making an image tag immutable, developers can use it to link the deployed image version to the build that created it.

Image scanning 

You can use Amazon ECR image scanning to scan your Docker images against Known Vulnerabilities without paying anything extra or deploying a third-party scanning tool (CVEs). Amazon ECR uses the open-source CoreOS Clair project's CVE database to provide you with a list of scan findings and vulnerability scores. Static container image scanning is supported for major versions of Amazon Linux, Amazon Linux 2, Debian, Ubuntu, CentOS, Oracle Linux, Alpine, and RHEL Linux distributions. The following scanning types are available.

  1. Improved scanning—Amazon ECR works in conjunction with Amazon Inspector and provides automated, continuous scanning of your repositories.
  2. Basic scanning—Amazon ECR makes use of the open-source Clair project's Known Vulnerabilities (CVEs) database. 

Container image manifest formats

Amazon ECR supports the container image manifest styles listed below:

  • Schema 1 of the Docker Image Manifest V2 (used with Docker version 1.9 and older)
  • Docker Image Manifest Version 2 Schema (used with Docker version 1.10 and newer)
  • Specifications of the Open Container Initiative (OCI) (v1.0 and up)

 

Support for Docker Image Manifest V2 Schema 2 adds the following features:

  • The possibility to use multiple tags on the same image.
  • Storage of Windows container images is supported.

Using Amazon ECR Images with Amazon ECS

The following are the prerequisites for using Amazon ECR Images with Amazon ECS:

  1. While using the EC2 launch type for the Amazon ECS tasks, your container instances must use the Amazon ECS container agent version 1.7.0 or later.
  2. The Amazon ECS container instance IAM role (ecsInstanceRole) that you use must have the appropriate Amazon ECR IAM policy permissions.
  3. Ensure that you use the full registry/repository:tag naming convention for your Amazon ECR images in your Amazon ECS task definitions.

Using Amazon ECR Images with Amazon EKS

Amazon Elastic Kubernetes Service is a Kubernetes service provided by AWS infrastructure. Kubernetes resources, like any other AWS service, will be fully managed by AWS, reducing the burden on developers to maintain them. AWS also ensures that these resources are always highly available and reliable.

Necessary requirements:

  1. Kubectl — This is the communication tool that we will use to interact among our Kubernetes cluster and device. Instructions for installation can be found at https://kubernetes.io/docs/tasks/tools/install-kubectl/.
  2. AWS Command Line Interface (CLI) — An AWS tool that will be used to issue commands related to AWS configurations. Follow this link to install: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
  3. AWS iam authenticator — Grant access to our Kubernetes cluster using IAM roles. https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html
  4. eksctl — AWS EKS's official CLI tool. 

Amazon Linux container image

The Amazon Linux container image is made up of the same software components as the Amazon Linux AMI. It can be used as a reference image for Docker workloads in any environment. If you use the Amazon Linux AMI for applications in Amazon EC2, you can containerize them using the Amazon Linux container image.

In your local software platform, you can use the Amazon Linux container image and then push your application to AWS via Amazon ECS.

To obtain the Amazon Linux container image from Amazon ECR Public, follow these steps.

  1. Log in to the Amazon Linux Public Registry with your Docker client. Authentication tokens are valid for a period of 12 hours.
  2. Use the docker pull command to obtain the Amazon Linux container image.
  3. Start the container locally.

Amazon ECR private repositories

Amazon ECR provides API operations for creating, monitoring, and deleting image repositories, as well as setting permissions that regulate who has direct connections to them.

Creating a private repository

To create a repository, follow the steps below:

  1. Go to https://console.aws.amazon.com/ecr/repositories to access the Amazon ECR console.
  2. From the navigation bar, select the Region in which you want to create your repository.
  3. Select Repositories from the navigation pane.
  4. On the Repositories page, select the Private tab, followed by Create repository.
  5. In the Visibility settings, make sure that Private is selected.
  6. Enter a unique name for your repository in the Repository name field. 
  7. For Tag immutability, select the repository's tag mutability setting. Immutable tags in repositories protect image tags from becoming overridden.
  8. For Scan on Push, while basic scanning can be configured at the repository level, it is best practice to configure the scan configuration at the private registry level.
  9. Select whether to enable AWS Key Management Service encryption of images in the repository for KMS encryption. When KMS encryption is activated, Amazon ECR utilizes an AWS managed key (KMS key) with the alias aws/ecr by default.  When KMS encryption is enabled, go to Customer encryption settings (advanced) and enter your own KMS key.
  10. Select Create repository.

Viewing private repository details

The following details can be viewed:

  1. What types of images are saved in a repository?
  2. Information about each image in the repository, such as its size and SHA digest.
  3. The frequency with which the repository's contents are scanned
  4. Whether or not the repository is associated with an active pull-through cache rule.
  5. The repository's encryption settings.

Editing a private repository

To edit a repository, follow these steps: 

  1. Select the Region that includes the repository to edit from the navigation bar.
  2. Select Repositories from the navigation pane.
  3. On the Repositories page, click the Private tab, then click the repository you want to edit and click Edit.
  4. For Tag immutability, select the repository's tag mutability setting.
  5. For image scan settings, while basic scanning can be specified at the repository level, it is best practise to specify the scan configuration at the private registry level.
  6. This is a view-only field for Encryption settings.
  7. Select Save to save the repository settings.

Deleting a private repository

To delete a repository, follow these steps:

  1. Go to https://console.aws.amazon.com/ecr/repositories to access the Amazon ECR console.
  2. From the navigation bar, select the Region containing the repository to be deleted.
  3. Select Repositories from the navigation pane.
  4. On the Repositories page, select the Private tab, then select the repository to remove and press the Delete button.In the Delete repository name window, confirm that the chosen repositories should be removed and press the Delete button.
    See this, Amazon Hirepro

Benefits of Amazon Elastic Container Registry(ECR)

  • Increased security is one of the most significant benefits offered by Amazon ECR. In Amazon ECR, all images are sent over HTTPS. To ensure increased security, images at rest are instantly encrypted.
     

Source: ECR

  • For the interface, AWS security groups can be chosen to control if each host is allowed to communicate with it. AWS security groups are online firewalls that can be easily created, attached, and deleted at the instance level.
  • The Amazon ECR architectural style is scalable, long-lasting, and redundant. As a result, Docker images are readily available and accessible, allowing users to deploy new containers for their apps quickly and reliably.
  • Amazon ECR does not provide any software that must be installed and managed, nor does it include a scalable infrastructure. Users simply upload images to ECR and retrieve them when they're needed using any container management tool.

Frequently Asked Questions

What is the pricing for Amazon ECR?

There are no costs involved or commitments with Amazon ECR. You only pay for the data you save in your public or private libraries, as well as the data you upload to the internet.

What is the difference between Amazon ECR public and private repositories?

A private repository does not support content search and needs Amazon IAM-based authentication with AWS account credentials before photos may be retrieved. A public repository contains descriptive content and lets anyone from anywhere pull photos without the requirement for an AWS account or IAM credentials. The Amazon ECR public gallery also has photographs from public repositories.

Does the Amazon ECR public gallery provide AWS-published images?

Yes. Amazon ECR hosts official public use container images and artifacts from services including Amazon EKS, Amazon SageMaker, and AWS Lambda.

Does Amazon ECR work with Amazon ECS?

Yes. Amazon ECR is linked with Amazon ECS, making it simple to store, execute, and manage container images for Amazon ECS-based applications. Simply specify the Amazon ECR repository in your task configuration, and Amazon ECS will retrieve the images you require for your applications.

Conclusion 

To summarise this blog, we first talked about Amazon Elastic Container Registry (ECR), how to set it up, and how it works, and then we talked about the components and benefits of Amazon Elastic Container Registry (ECR).

Refer to our guided paths on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSystem Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But if you have just started your learning process and looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc; you must have a look at the problemsinterview experiences, and interview bundle for placement preparations.

Nevertheless, you may consider our paid courses to give your career an edge over others!

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Next article
Amazon Elastic Container Service(ECS)
Live masterclass