/amazon-ecr-credential-helper

Automatically gets credentials for Amazon ECR on docker push/docker pull

Primary LanguageGoApache License 2.0Apache-2.0

Amazon ECR Docker Credential Helper

Amazon ECR logo

Build Status

The Amazon ECR Docker Credential Helper is a credential helper for the Docker daemon that makes it easier to use Amazon Elastic Container Registry.

Prerequisites

You must have at least Docker 1.11 installed on your system.

You also must have AWS credentials available in one of the standard locations:

  • The ~/.aws/credentials file
  • The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables
  • An IAM role for Amazon EC2
  • If you are working with an assumed role please set the environment variable: AWS_SDK_LOAD_CONFIG=true also.

The Amazon ECR Docker Credential Helper uses the same credentials as the AWS CLI and the AWS SDKs. For more information about configuring AWS credentials, see Configuration and Credential Files in the AWS Command Line Interface User Guide.

The credentials must have a policy applied that allows access to Amazon ECR.

Installing

Amazon Linux 2

You can install the Amazon ECR Credential Helper from the docker or ecs extras.

$ sudo amazon-linux-extras enable docker
$ sudo yum install amazon-ecr-credential-helper

Once you have installed the credential helper, see the Configuration section for instructions on how to configure Docker to work with the helper.

Mac OS

A community-maintained Homebrew formula is available in the core tap.

Homebrew package

$ brew install docker-credential-helper-ecr

Once you have installed the credential helper, see the Configuration section for instructions on how to configure Docker to work with the helper.

Debian Buster (and future versions)

You can install the Amazon ECR Credential Helper from the Debian Buster archives. This package will also be included in future releases of Debian.

Debian Testing package Debian Unstable package

$ sudo apt update
$ sudo apt install amazon-ecr-credential-helper

Once you have installed the credential helper, see the Configuration section for instructions on how to configure Docker to work with the helper.

Ubuntu 19.04 Disco Dingo and newer

You can install the Amazon ECR Credential Helper from the Ubuntu 19.04 Disco Dingo (and newer) archives.

Ubuntu 19.04 package

$ sudo apt update
$ sudo apt install amazon-ecr-credential-helper

Once you have installed the credential helper, see the Configuration section for instructions on how to configure Docker to work with the helper.

Arch Linux

A community-maintained package is available in the Arch User Repository.

AUR package

$ git clone https://aur.archlinux.org/amazon-ecr-credential-helper.git
$ cd amazon-ecr-credential-helper
$ makepkg -si

Once you have installed the credential helper, see the Configuration section for instructions on how to configure Docker to work with the helper.

From Source

To build and install the Amazon ECR Docker Credential Helper, we suggest Go 1.9+, git and make installed on your system.

You can install this via go get with:

go get -u github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login

If you already have Docker environment, just clone this repository anywhere and run make docker. This command builds the binary with Go inside the Docker container and output it to local directory.

With TARGET_GOOS environment variable, you can also cross compile the binary.

Once you have installed the credential helper, see the Configuration section for instructions on how to configure Docker to work with the helper.

Configuration

Place the docker-credential-ecr-login binary on your PATH and set the contents of your ~/.docker/config.json file to be:

{
	"credsStore": "ecr-login"
}

This configures the Docker daemon to use the credential helper for all Amazon ECR registries.

With Docker 1.13.0 or greater, you can configure Docker to use different credential helpers for different registries. To use this credential helper for a specific ECR registry, create a credHelpers section with the URI of your ECR registry:

{
	"credHelpers": {
		"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
	}
}

This is useful if you use docker to operate on registries that use different authentication credentials.

Usage

docker pull 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repository:my-tag

docker push 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repository:my-tag

There is no need to use docker login or docker logout.

Troubleshooting

Logs from the Amazon ECR Docker Credential Helper are stored in ~/.ecr/log.

For more information about Amazon ECR, see the the Amazon Elastic Container Registry User Guide.

Security disclosures

If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions here or email AWS security directly.

License

The Amazon ECR Docker Credential Helper is licensed under the Apache 2.0 License.