Skip to content

OwnLocal/ecr-auth-run

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

run.sh

run.sh

 
 

Repository files navigation

ownlocal/ecr-auth-run

Authenticates with ECR by running aws ecr get-login and then calls docker run with any arguments passed into the run. This is useful when you want to run a docker container hosted in ECR in a situation where there's no easy way to first authenticate.

One example use-case is launching an ECR container via cloud-config in RancherOS:

#cloud-config
ssh_authorized_keys:
  - ssh-rsa SSH-KEY-HERE
rancher:
  services:
    my_container:
      image: ownlocal/ecr-auth-run
      command: [12345.dkr.ecr.us-east-1.amazonaws.com/my_container:latest, --log-driver=awslogs, --log-opt, awslogs-region=us-east-1, --log-opt, awslogs-group=MyLogGroup]
      environment:
        AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
        AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
        AWS_DEFAULT_REGION: us-east-1
      privileged: true
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - /usr/bin/docker:/usr/bin/docker

If you have assigned an IAM Role to the instance which has the permissions needed to access the ECR repo, you can even leave out the access key and secret, but the region will still need to be specified. Of course, a different log driver can be used, if desired.

Any environment variables or other arguments to your container will need to be included in the command portion of the config, as the service config is for the initial container.

Both of the specified bind mounts (in the "volumes" section) are required for this container to function properly. If the docker executable is somewhere else on the Docker host, you will need to adjust the /usr/bin/docker mount accordingly.

Running this from the command-line would look something like this:

$ docker run --rm -it -e AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE \
    -e AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
    -e AWS_DEFAULT_REGION=us-east-1 \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/bin/docker:/usr/bin/docker \
    ownlocal/ecr-auth-run \
    --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group=MyLogGroup \
    12345.dkr.ecr.us-east-1.amazonaws.com/my-container

Note that any docker run arguments need to come before the name of the image and any container arguments need to come after the name of the image. Also in order for the awslogs driver to work this needs to either be run on an EC2 instance with an IAM role which allows CloudWatch logging or the docker daemon needs to have been run with the appropriate AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables set (see moby/moby#16551).

About

Docker image to authenticate with ECR and then launch another docker container.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages