Open in app

Sign in

Write

Sign in

Mastodon

Pulling Docker images from 2 AWS ECR private registries without login

Artiya
2 min readSep 12, 2024

--

Why

sometimes we need 2 images from 2 AWS ECRs, from different accounts to deploy it as the same stack without having to log in to each AWS account and pull each image respectively. Using amazon-ecr-credential-helper makes it easy to pull images from ECR but it still does not support 2 accounts automatically when using docker-compose. I have a solution, by using a wrapper script to set the account profile and then call amazon-ecr-credential-helper as normal which needs a little bit of setting up the example is below.

Setting up

  1. Install amazon-ecr-credential-helper as a command line program.
  2. Setting up the users that have ECR image pull permission for both ECRs.
  3. Create the wrapper script at a system execute path /usr/bin/docker-credential-ecr-auto and make it executable too. This wrapper script will set the AWS_PROFILE as the same name as the pulling registry.

#!/usr/bin/env bash
if [ "get" == "$1" ]; then
    read REGISTRY
    echo $REGISTRY | AWS_PROFILE=$REGISTRY docker-credential-ecr-login get
fi

3. Create the AWS account profiles at ~/.aws/config 111111111111 and 222222222222 are 2 of the accounts to pull docker images from. make sure the region is correct in the ECR hostname too.

[profile 111111111111.dkr.ecr.ap-southeast-1.amazonaws.com]
region = ap-southeast-1

[profile 222222222222.dkr.ecr.ap-southeast-1.amazonaws.com]
region = ap-southeast-1

4. Create the AWS account profile credentials at ~/.aws/credentials the profile must be the same name as the profile above.

[111111111111.dkr.ecr.ap-southeast-1.amazonaws.com]
aws_access_key_id = AKIA1111111111111111
aws_secret_access_key = KEYOF1111111111111111


[222222222222.dkr.ecr.ap-southeast-1.amazonaws.com]
aws_access_key_id = AKIA2222222222222222
aws_secret_access_key = KEYOF2222222222222222

5. Edit config the docker at ~/.docker/config.json by adding the config “credHelpers” key like below.


{
  "credHelpers": {
    "111111111111.dkr.ecr.ap-southeast-1.amazonaws.com": "ecr-auto",
    "222222222222.dkr.ecr.ap-southeast-1.amazonaws.com": "ecr-auto"
  }
}

6. The image pull using docker-compose using the command docker-compose pull

Example: compose.yaml file that contains 2 images from 2 private ECR repos.

services:
  redis1111
    image: 111111111111.dkr.ecr.ap-southeast-1.amazonaws.com/redis:master
    command: redis-server --requirepass 1111
    restart: always
    ports:
      - "6379:6379"
  redis2222
    image: 222222222222.dkr.ecr.ap-southeast-1.amazonaws.com/redis:master
    command: redis-server --requirepass 2222
    restart: always
    ports:
      - "6379:6379"

docker-compose should pull both images without having to log in and pull each one manually.

Source:
https://github.com/awslabs/amazon-ecr-credential-helper/issues/77

Docker
Docker Compose
Aws Ecr
Ecr
Credential Helper

--

--

Artiya

Written by Artiya

823 Followers

Programmer • Innovator • Photographer https://www.buymeacoffee.com/artiya4u

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams