Based on official nginx alpine.
The container will renew the AWS token every 4 hours.
Based off the work from this repo: https://github.com/catalinpan/aws-ecr-proxy Updated AWS CLI to v2+
The following table describes the parameters you can provide as Docker environment variables.
| Name | Default value | Description |
|---|---|---|
AWS_KEY |
The AWS access key used to execute AWS ECR API requests. | |
AWS_SECRET |
The AWS secret used to execute AWS ECR API requests. | |
DOCKER_REGISTRY_VERSION |
2 | The version of the Docker registry to use. |
REGION |
The AWS region where your AWS ECR registries are located. | |
RENEW_TOKEN |
4h | The interval used to indicate how often to renew the AWS token. |
AUTH_INDEX |
0 | The index in the authorizationData array to use. |
To check the health of the container/registry use FQDN/ping which will give you the heath of the registry with the correct status code.
For AWS instances if the region is not declared it will be auto discovered from IAM as long as the instance supports that. pull request, commit.
The AWS key and secret can be also configured using a IAM role (without mounting them secrets or specifying them as variables). A sample IAM role config can be found in the examples folder. More details on the AWS official documentation.
The configs will be checked in the following order:
- secrets - file mounted
- variables declared at run time
- IAM role
If none are found the container will not start. Check the logs with docker logs CONTAINER_ID.
This will require either to add insecure registry URL or a load balancer with valid ssl certificates. Check https://docs.docker.com/registry/insecure/ for more details.
docker run -e AWS_SECRET='YOUR_AWS_SECRET' \
-e AWS_KEY='YOUR_AWS_KEY' \
-e REGION='YOUR_AWS_REGION' \
-d catalinpan/aws-ecr-proxy
docker run -e AWS_SECRET='YOUR_AWS_SECRET' \
-e AWS_KEY='YOUR_AWS_KEY' \
-e REGION='YOUR_AWS_REGION' \
-v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \
-v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \
-d catalinpan/aws-ecr-proxy
The configuration should look like below example.
cat ~/.aws/config
[default]
# region example eu-west-1
region = REGION
aws_access_key_id = YOUR_AWS_KEY
aws_secret_access_key = YOUR_AWS_SECRET
docker run -v ~/.aws:/root/.aws:ro \
-v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \
-v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \
-d catalinpan/aws-ecr-proxy
With region and credentials from IAM role.
docker run -d catalinpan/aws-ecr-proxy
With region as environment variable and credentials from IAM role.
docker run -e REGION='YOUR_AWS_REGION' -d catalinpan/aws-ecr-proxy
docker run -d catalinpan/aws-ecr-proxy \
-e DOCKER_REGISTRY_VERSION=1
Build the default catalinpan/aws-ecr-proxy image with the version specified in the version.txt file.
./build.sh
Build an image with a custom name and version.
./build.sh --name=company-name/aws-ecr-proxy --version=1.0.0
Publish the default catalinpan/aws-ecr-proxy image with the version specified in the version.txt file.
./publish.sh --latest
Publish an image with a custom name and version.
./publish.sh --latest --name=company-name/aws-ecr-proxy --version=1.0.0
docker stack deploy --compose-file ./docker-compose.swarm.yml ${serviceName}
Where serviceName is the name of the service, it could be ecr-proxy
The certificates included are just to get nginx started. Generate your own certificate, get valid ssl certificates or use the container behind a load balancer with valid SSL certificates.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout default.key -out default.crt
Kubernetes examples contain also a health check. The configs can be changed to get aws_config and ssl certificates as secrets.
The configuration provided will require valid ssl certificates or to be behind a load balancer with valid ssl.
The daemonSet will be available on all the nodes. Deployments can use 127.0.0.1:5000/container_name:tag instead of FQDN/container_name:tag.