What is Amazon ECR?

If you are building applications with Docker containers, you need a place to store your container images. A container registry is a storage system for your images, similar to how GitHub is a storage system for your source code. While you can use public registries like Docker Hub, for private applications, you need a secure, private registry.

On AWS, the native solution for this is Amazon Elastic Container Registry (ECR).

What is Amazon ECR?

Amazon ECR is a fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. ECR is deeply integrated with the AWS ecosystem, making it the standard choice for developers running containerized applications on services like Amazon ECS (Elastic Container Service) and EKS (Elastic Kubernetes Service).

Key Features of ECR

• Fully Managed: AWS handles the work of operating and scaling the infrastructure required to run your container registry. You don't have to worry about managing servers or storage.
• Secure: ECR integrates with AWS Identity and Access Management (IAM) to provide resource-level control of your repositories. This allows you to define fine-grained permissions for who can push (upload) and pull (download) images.
• High Availability and Durability: Your images are stored in Amazon S3, which means they are highly available and durably stored. ECR also automatically replicates your data across multiple Availability Zones.
• Vulnerability Scanning: ECR can be configured to automatically scan your images for common software vulnerabilities and exposures (CVEs), helping you to improve the security of your applications.
• Integration with AWS Services: ECR works seamlessly with Amazon ECS, EKS, and AWS Lambda, simplifying your development to production workflow.

The ECR Workflow

Working with ECR is very similar to working with other Docker registries like Docker Hub.

1. Create a Repository

In ECR, an image is stored in a repository. You first create a repository in the ECR console or via the AWS CLI. For example, you might create a repository named my-awesome-app.

2. Authenticate the Docker CLI to Your Registry

Before you can push or pull images, you need to authenticate your Docker client to your private ECR registry. You can do this by running a command provided by the AWS CLI. This command retrieves a temporary authentication token and configures Docker to use it.

aws ecr get-login-password --region <your-region> | docker login --username AWS --password-stdin <your-aws-account-id>.dkr.ecr.<your-region>.amazonaws.com

3. Tag Your Docker Image

Once you have built your Docker image locally, you need to tag it with the full name of your ECR repository.

docker tag my-awesome-app:latest <your-aws-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-awesome-app:latest

The format is [registry]/[repository]:[tag].

4. Push the Image to ECR

Now you can push the tagged image to your ECR repository.

docker push <your-aws-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-awesome-app:latest

Your image is now securely stored in ECR.

5. Pull and Run the Image

From any machine that is authenticated to your ECR registry (like an EC2 instance in your ECS cluster), you can now pull and run the image just like any other Docker image.

docker pull <your-aws-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-awesome-app:latest
docker run <your-aws-account-id>.dkr.ecr.<your-region>.amazonaws.com/my-awesome-app:latest

Conclusion

Amazon ECR is an essential service for any developer working with containers on AWS. It provides a secure, scalable, and reliable home for your container images, and its deep integration with the rest of the AWS ecosystem makes it the natural choice for managing your container lifecycle. By handling the undifferentiated heavy lifting of operating a container registry, ECR allows you to focus on building and shipping your application.