Tools for interacting with the ECR Docker registry 322727087874.dkr.ecr.ap-southeast-1.amazonaws.com
.
This repo provide two utilities:
docker-credential-fazz-ecr
: Credential helper for Docker client.fazz-ecr-create-repo
: Helper to create new repository on the322727087874.dkr.ecr.ap-southeast-1.amazonaws.com
registry.
User permissions to repositories are determined by the membership of Google groups.
Run go install github.com/payfazz/fazz-ecr/cmd/...@latest
to install both utilities in your $GOBIN
. Put $GOBIN
in your $PATH
to make it easier to access the programs.
-
Make sure that docker is installed
which docker
If docker is not found, install docker first by following the instructions here
-
Check for the file in
{HOME}/.docker/config.json
. If it is not available create the file with{}
(empty json object). Or run this command:[ ! -f ${HOME}/.docker/config.json ] && mkdir -p ${HOME}/.docker && echo "{}" > ${HOME}/.docker/config.json
-
To generate fazz-ecr auth config for docker, run the following on terminal:
docker-credential-fazz-ecr update-config
-
You can now create a repository based on your account. For example, if your email is
myname@fazzfinancial.com
, and you want to create a container image repository for service namedmyservice
, run the following command:fazz-ecr-create-repo 322727087874.dkr.ecr.ap-southeast-1.amazonaws.com/myname-fazzfinancial-com/myservice
The same rule is applicable to repository with your team's name. For example, if you are a member of
auth-payfazz@fazzfinancial.com
, you can create repositories on322727087874.dkr.ecr.ap-southeast-1.amazonaws.com/payfazz/*
.You cannot push image with the same tag more than once (Every image:tag is immutable).
Use payfazz/setup-fazz-ecr-action@v1
action in your workflow file. FAZZ_ECR_TOKEN
environment variable must be set.
docker-credential-fazz-ecr
provides the following sub-commands:
update-config
login
list-access
get
docker-credential-fazz-ecr update-config
is used to update ~/.docker/config.json
to configure authentication for 322727087874.dkr.ecr.ap-southeast-1.amazonaws.com
repository.
docker-credential-fazz-ecr login
is used to remove old credential and retrieve new credential. This command will open your web browser to authenticate your identity.
docker-credential-fazz-ecr list-access
is used to list all repositories which is accessible by your credential.
docker-credential-fazz-ecr get
is used internally by docker
command line
Both client utilities will do an HTTP call to an AWS Lambda which is proxied by AWS API Gateway. This lambda handles the actual authentication and authorization logic. The lambda code is located on aws-lambda/fazz-ecr
directory, and you can deploy the code with the following commands:
# Make sure you are in the aws-lambda/fazz-ecr directory
CGO_ENABLED=0 GOOS=linux go build .
zip function.zip fazz-ecr
aws lambda update-function-code --function-name fazz-ecr --region ap-southeast-1 --zip-file fileb://function.zip
rm function.zip fazz-ecr