# AWS ECR and Policies

### Introduction

In previous lessons we have stored our docker images on Dockerhub.  However, in a production environment, our images will typically be stored in a cloud service equivalent.  For AWS, this is the elastic container repository.  And a benefit of this, is that images can then be booted up and run on an EC2 instance through the Elastic Container Registry.  

In this lesson, we'll see how to use both.  

Let's get started.

### Booting up a Flask App

Let's begin by moving to the `web_app/app` directory, finding our Dockerfile, and then runnning the following.

* `docker build -t sample_flask:amd --platform=linux/amd64 .`

And you can *try* running this image on your laptop, but it may not work if it's not compatible. 

* `docker run  -p 3000:80 sample_flask`

### Deploying to AWS

Ok, now that we can see our container working in docker, the next step is to push our image to AWS, and then to have lambda run this image.

We can push an image to AWS by using the elastic container registry in AWS.  So search for that in the AWS console.

<img src="./ecr.png" width="100%">

Then click on get started, and add a repository name, and click on create repository.  

> This is similar to creating a repository in github.

Then from there we can push the repo to AWS ECR.

<img src="./create-repo.png">

`docker tag sample_flask ****.dkr.ecr.us-east-1.amazonaws.com/flask_app`

```bash
(base) % docker image ls
REPOSITORY                                                 TAG       IMAGE ID       CREATED         SIZE
086729879076.dkr.ecr.us-east-1.amazonaws.com/flask_app     latest    faa24b2f3b27   6 minutes ago   53.1MB
```

* Then push to the ECR repository.

`docker push ***.dkr.ecr.us-east-1.amazonaws.com/flask_app`

### Pulling our Repo

Ok, so now that we pushed up our repository.  Next we can use the AWS CLI to try to pull down our repository onto our laptop.  

To do so, we cannot immediately pull down our docker image.  Instead, we first have to provide the aws credentials (which are hopefully stored in our `~./aws` folder) to the Docker client installed on our computer -- to allow it to access our ECR.

Ok, so we allow our Docker client to access our AWS account's ECR with the following:

```bash
aws ecr get-login-password --region your-region | docker login --username AWS --password-stdin your-aws-account-id.dkr.ecr.your-region.amazonaws.com
```

For example, after `--region`, you'll need to provide the region your using, like us-east-1.  And then after `stdin`, you'll also have to fill in, your account id and region in the specified place.  Constructing that last string is actually in the ECR repo for you.  If you click on your image, you'll see the following:

<img src="./aws-ecr.png" width="80%">

That `URI` at the bottom has what we need.  We can just exclude the text `/flask_app:latest`.  So for me, I logged my docker client in with the following.

```bash
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin *****.dkr.ecr.us-east-1.amazonaws.com
```

And once logged in, we can just copy that full uri listed in the console, and run docker pull.

```bash
docker pull ******.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

Ok, with that, we should have been able to pull our image back down onto our laptop.

### Pulling down to EC2

Ok, so the next step would be to boot up an ec2 instance, and try to pull down our image.  Let's give it a shot.

You can type in EC2, use an ami, and choose your keypair, and then allow the default of allowing ssh access, and might as well select the checkbox for http access.

<img src="./ec2-access.png" width="60%">

Click `Launch Instance`, and then use your .pem file to ssh into the machine.  You can click on the `connect` button.

```bash
sudo yum install docker -y
sudo systemctl start docker
```

But then, if we try to login to Docker, we'll see the following:

<img src="./locate-creds.png" width="80%">

The issue we have above, is that the credentials are not stored on the EC2 machine, and so we cannot use them to login to docker.

### Granting Permission

So we need to give our EC2 machine the authorization to access our ECR resource.  

* A brief intro

This may seem like something that would be managed with a security group, security groups are for something different.  Security groups are used to specify how the outside world can access your resources.  For example, when we allow outside computers to make http requests to port 80.  But here we want to grant one AWS resource (our ec2 machine) the ability to access another resource (ECR).  For that we'll need to create *role* in AWS (like a new user) that has access to ECR, and then attach that role to our EC2 machine.

Ok, let's get started.

We can manage our EC2 instance's role by clicking on the EC2 instance, and then `Instance State` > `Security` > `Modify IAM role`.

<img src="./iam-role.png" width="50%">

From there, we want to create a new IAM role that has ECR access.  So click the link `Create new IAM role`. 

<img src="./create-iam.png" width="60%">

Ok, so IAM stands for Identify and Access Management.  And AWS gets us right into it by asking what kind of service we'll be creating a role for.  Choose EC2, as this will be for an EC2 instance.

<img src="./ec2-service.png" width="60%">

Next, we'll need to specify what *permissions* this role will have.  Search for `Container` and then you can select either `AmazonEC2ContainerRegistryReadOnly` or `AmazonEC2ContainerRegistryFullAccess` (but read only is preferred).

<img src="./ecr-role.png" width="60%">

If you click on the `+` you can see the details of this policy.  For example, for the read only, it grants Allow access to any of the ecr resources (ie any repository), to perform the actions specified under `Action: []`.

In the next screen, we get ready to create our role -- giving it a descriptive name.

<img src="./ec2-ecr.png" width="60%">

* Notice that under `Principal: Service` it says `ec2.amazonaws.com` as that is the resource that will be able to perform this action.  And we are allowing it the ability to assume the role as this new role, that has ECR permissions, that we are creating.

Then click `Create Role`.

* Attaching the role

Ok, so we just created a role that gives EC2 machines access to the ECR resource.  The next step is to *attach* this role to our EC2 machine.  

So go back to the original Modify IAM Role for the EC2 machine.  You can click the `Refresh` button (next to Create new Iam role), and you should see the role that you just created in the dropdown.  Now select it.  Then click `Update IAM role`.

<img src="./update-iam-role.png" width="60%">

This will *attach* the role to the ec2 machine.  We can see that if we go back to `EC2 > Instances` and click on our instance.

<img src="./ec2-attached.png" width="50%">

> You can see our newly attached role under `IAM Role`. 

### Pulling down our image

Ok, so now that our EC2 image has access to our ECR repository, we can now use the same step to login the docker client on our EC2 machine to get ECR access.

```bash
aws ecr get-login-password --region us-east-1 | sudo docker login --username AWS --password-stdin ****.dkr.ecr.us-east-1.amazonaws.com
```

And from there, we can pull down our image.

```bash
sudo docker pull  ******.dkr.ecr.us-east-1.amazonaws.com/flask_app:latest
```

So because we granted our EC2 machine access to our ECR repo, when we ran `aws ecr get-login-password --region us-east-1`, the AWS CLI used our instance's attached IAM role for authentication and authorization, and our IAM role had the permission to for `ecr:GetAuthorizationToken`.

<img src="./ecr-role.png" width="60%">

And we then gave that login token to our docker client, before pulling down our image.  We can even see that login token on our ec2 machine.

* Just run: `sudo cat /root/.docker/config.json` and you'll see the login token.

### Resources

[IAM roles and assume roles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html)

[Final Attempt](https://beabetterdev.com/2023/01/29/ecs-fargate-tutorial-with-fastapi/)

[Gentle Intro to how ECS works - AWS ECS Tutorial](https://medium.com/boltops/gentle-introduction-to-how-aws-ecs-works-with-example-tutorial-cea3d27ce63d)

[AWS ECS](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html)

[AWS Fargate](https://aws.amazon.com/blogs/aws/aws-fargate/)

[AWS ECS and Fargate](https://dev.to/aws-builders/step-by-step-guide-highly-available-architecture-with-alb-and-amazon-ecs-on-aws-fargate-cgi)

[Node ECS Terraform](https://blog.devops.dev/deploying-docker-image-on-aws-ecs-infrastructure-automation-using-terraform-a-step-by-step-guide-23e17e5ced76)

[Fargate Pricing](https://www.simform.com/blog/aws-fargate-pricing/)

[Terraform ECS](https://spacelift.io/blog/terraform-ecs)