Unlike other Docker registries, ECR is a bit of a pain to work with. The usual authentication process with ECR goes as following:
1. Get your IAM account with ECR permissions (pull, or push, or both) – and obtain ID and Key for this account.
2. Using AWS CLI and IAM credentials obtain login and password that can be used to authenticate to the actual registry. This may be done using the following command (particular AWS CLI command below will give you whole docker login command):
export AWS_ACCESS_KEY_ID=my_key_id; export AWS_SECRET_ACCESS_KEY=my_key_secret; aws ecr get-login --no-include-email --region us-east-1
3. Following above, run the actual docker login command – and voila – you are now authenticated with ECR …but – and here is a catch – only for 12 hours.
4. After 12 hours, your docker login is no longer valid, and you have to redo the whole process again.
This may be not so bad for local development, but presents a big problem when you are running any sort of Continuous Delivery system on Kubernetes.
With such inconvenience, why do people still use ECR? Well, AWS has a big eco-system, and if an organization is already heavily invested in AWS, it just makes sense, rather than switching to a better registry (such as ACR on Azure).
To make this problem more manageable, we have created an open source ECR-Regcred Helm chart which operates on IAM credentials and creates and then refreshes every 11 hours
regcred secret for pulling images on Kubernetes from ECR.
The ECR-Regcred chart can either be used as stand-alone or added to any other chart as a dependency. It also currently supports 3 modes of working with IAM secrets: unopinionated (secret provided by the user outside of the chart), plain-text (only recommended for testing in dev), sealed secret via Bitnami Sealed Secrets.
Hopefully, this will working with ECR a bit easier – it definitely already worked for us on a couple of projects.