Skip to content
AWS ECR docker registry proxy. Anonymous proxy for AWS ECR
Shell Dockerfile
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
configs fix for #7, registry ID not being used to renew token Dec 10, 2018
examples kubernetes example daemonSet Aug 20, 2017
Dockerfile upgraded to the latest stable versions of awscli and nginx May 24, 2017
LICENSE Initial commit Jan 21, 2017 Added option to speicy a registry id Jun 27, 2018

AWS ECR anonymous proxy

Based on official nginx alpine.

Docker image repository

The container will renew the aws token every 6 hours.


RENEW_TOKEN - default 6h
REGISTRY_ID - optional, used for cross account access

Health check

To check the health of the container/registry use FQDN/ping which will give you the heath of the registry with the correct status code.

AWS instance with IAM role

For AWS instances if the region is not declared it will be auto discovered from IAM as long as the instance supports that. pull request, commit.

The AWS key and secret can be also configured using a IAM role (without mounting them secrets or specifying them as variables). A sample IAM role config can be found in the examples folder. More details on the AWS official documentation.

The configs will be checked in the following order:

  • secrets - file mounted
  • variables declared at run time
  • IAM role

If none are found the container will not start. Check the logs with docker logs CONTAINER_ID

Docker run:

Without ssl

This will require either to add insecure registry URL or a load balancer with valid ssl certificates. Check for more details.

docker run -e AWS_SECRET='YOUR_AWS_SECRET' \
-d catalinpan/aws-ecr-proxy
With your own certificate
docker run -e AWS_SECRET='YOUR_AWS_SECRET' \
-v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \
-v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \
-d catalinpan/aws-ecr-proxy
With a valid AWS CLI configuration file

The configuration should look like below example.

cat ~/.aws/config
# region example eu-west-1
region = REGION     
aws_access_key_id = YOUR_AWS_KEY
aws_secret_access_key = YOUR_AWS_SECRET
docker run -v ~/.aws:/root/.aws:ro
-v `pwd`/YOUR_CERTIFICATE.key:/etc/nginx/ssl/default.key:ro \
-v `pwd`/YOUR_CERTIFICATE.crt:/etc/nginx/ssl/default.crt:ro \
-d catalinpan/aws-ecr-proxy
IAM role configured

with region and credentials from IAM role

docker run -d catalinpan/aws-ecr-proxy

with region as environment variable and credentials from IAM role

docker run -e REGION='YOUR_AWS_REGION' -d catalinpan/aws-ecr-proxy


The certificates included are just to get nginx started. Generate your own certificate, get valid ssl certificates or use the container behind a load balancer with valid SSL certificates.

Self signed certificates

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout default.key -out default.crt

Kubernetes example

Kubernetes examples contain also a health check. The configs can be changed to get aws_config and ssl certificates as secrets.

Deployment and service

The configuration provided will require valid ssl certificates or to be behind a load balancer with valid ssl.


The daemonSet will be available on all the nodes. Deployments can use instead of FQDN/container_name:tag

You can’t perform that action at this time.