by

authentication with amazon ecr and docker

Applies to linux systems.

~/.docker/config.json must have 

{ 
    "credsStore": "ecr-login"
}

Also, you must have the docker-credential-ecr-login package installed.

For READ ONLY access to an ecr repo in the same account, here is the IAM policy:

{
    "Version": "2012-10-17",
    "Statement": 
    [
        {
           "Sid":"GetAuthorizationToken",
            "Effect":"Allow",
            "Action":[
              "ecr:GetAuthorizationToken"
            ],
            "Resource":"*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": ["arn:aws:ecr:us-west-2:12345678901234:repository/mysqldevimg/example"]
        }
    ]
}

Note there are two statements. The first one is REQUIRED.

  1. arn:aws:ecr is static, it doesn’t change
  2. us-west-2 is the region
  3. 12345678901234 is your aws account id
  4. repository is part of the ARN – it doesn’t change
  5. mysqldevimg/example is the repository

docker-credential-ecr-login can be a bit obtuse. On ubuntu 22.04, on ec2, running the following command hangs

docker-credential-ecr-login erase

To force erase, run this:

rm ~/.ecr/cache.json

Leave a comment