Applies to linux systems.
~/.docker/config.json must have
{
"credsStore": "ecr-login"
}
Also, you must have the docker-credential-ecr-login
package installed.
For READ ONLY access to an ecr repo in the same account, here is the IAM policy:
{
"Version": "2012-10-17",
"Statement":
[
{
"Sid":"GetAuthorizationToken",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken"
],
"Resource":"*"
},
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Resource": ["arn:aws:ecr:us-west-2:12345678901234:repository/mysqldevimg/example"]
}
]
}
Note there are two statements. The first one is REQUIRED.
arn:aws:ecr
is static, it doesn’t changeus-west-2
is the region12345678901234
is your aws account idrepository
is part of the ARN – it doesn’t changemysqldevimg/example
is the repository
docker-credential-ecr-login
can be a bit obtuse. On ubuntu 22.04, on ec2, running the following command hangs
docker-credential-ecr-login erase
To force erase, run this:
rm ~/.ecr/cache.json