Authenticates with ECR by running aws ecr get-login
and then calls docker run
with any arguments
passed into the run. This is useful when you want to run a docker container hosted in ECR in a
situation where there's no easy way to first authenticate.
One example use-case is launching an ECR container via cloud-config in RancherOS:
#cloud-config
ssh_authorized_keys:
- ssh-rsa SSH-KEY-HERE
rancher:
services:
my_container:
image: ownlocal/ecr-auth-run
command: [12345.dkr.ecr.us-east-1.amazonaws.com/my_container:latest, --log-driver=awslogs, --log-opt, awslogs-region=us-east-1, --log-opt, awslogs-group=MyLogGroup]
environment:
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_DEFAULT_REGION: us-east-1
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker
If you have assigned an IAM Role to the instance which has the permissions needed to access the ECR repo, you can even leave out the access key and secret, but the region will still need to be specified. Of course, a different log driver can be used, if desired.
Any environment variables or other arguments to your container will need to be included in the
command
portion of the config, as the service config is for the initial container.
Both of the specified bind mounts (in the "volumes" section) are required for this container to
function properly. If the docker
executable is somewhere else on the Docker host, you will need to
adjust the /usr/bin/docker mount accordingly.
Running this from the command-line would look something like this:
$ docker run --rm -it -e AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE \
-e AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
-e AWS_DEFAULT_REGION=us-east-1 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker \
ownlocal/ecr-auth-run \
--log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group=MyLogGroup \
12345.dkr.ecr.us-east-1.amazonaws.com/my-container
Note that any docker run
arguments need to come before the name of the image and any container
arguments need to come after the name of the image. Also in order for the awslogs driver to work
this needs to either be run on an EC2 instance with an IAM role which allows CloudWatch logging or
the docker daemon needs to have been run with the appropriate AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY environment variables set (see moby/moby#16551).