Authenticating Amazon ECR Repositories for Docker CLI with Credential Helper

The default way to authen then talk with registry is through

docker login.

The user name is aws and password could be retrieve using

Aws ecr get-token

So far it’s pretty straightforward.

However, there is a caveat there. The token from aws CLI is valid for 12 hours only, this is aws’s approach to secure the access, in case the token is compromised, it’s to be expired then only authorised could retrieve the new token.

One possible approach to keep the docker CLI work is to refresh the

Docker login

Every 12 hours. Which is not difficult however is very ugly.

Instead, aws has this Credential helper. So with the Aws-ecr-Credential-helper installed, when we run docker CLI, it’s able to pick up the config from ~/.docker/config.json

"credHelpers": {
		"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
	}

That it would leverage on the helper to talk to the specific ecr instance. And the helper in turn would leverage on pre-configured ~/.aws/credential & ~/.aws/config to pick up the right access key and secret etc to talk with ecr.

This is a cool solution not only for Docker CLI but actually a lot serverless platform as well which relies on containers.

https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s