Expected behavior

would like to know how to pull an image from an aws ecr repo while running a doker stack deploy cmd.
how do you translate the following param --with-registry-auth in the docker compose v3 file?
i’m able to create a service from the cmd line but i had no success with docker-compose v3.

Actual behavior

eval $(aws ecr get-login --region us-east-1)
Flag --email has been deprecated, will be removed in 1.14.
Login Succeeded

ls -rlt config.json
-rw-------. 1 root root 1592 Jan 29 13:52 config.json
docker stack deploy -c test.yml QA_STATUS

from /var/log/messages
Jan 29 13:57:42 XXXXX dockerd: time=“2017-01-29T13:57:42.487088958-06:00” level=warning msg=“unable to pin image XXXXX.us-east-1.amazonaws.com/docker-dev-repo:lighttpd to digest: Head https://XXXXXX.ecr.us-east-1.amazonaws.com/v2/docker-dev-repo/manifests/lighttpd: no basic auth credentials”

Additional Information

docker version
Client:
Version: 1.13.0
API version: 1.25
Go version: go1.7.3
Git commit: 49bf474
Built: Tue Jan 17 09:55:28 2017
OS/Arch: linux/amd64

Server:
Version: 1.13.0
API version: 1.25 (minimum version 1.12)
Go version: go1.7.3
Git commit: 49bf474
Built: Tue Jan 17 09:55:28 2017
OS/Arch: linux/amd64
Experimental: false

Steps to reproduce the behavior

1. eval $(aws ecr get-login --region us-east-1)
2. docker stack deploy -c test.yml QA_STATUS

See my answer here:

i’m able to create a service from the cmd line. just wondering how you do it using the docker compose yaml file.
how do you parse the token in yaml file?

We don’t parse the token in the yaml file. From my understanding of docker stack deploy the --compose-file option is to allow you to skip the step of having to create a bundle (dab) file. I could be misinterrupting what you’re asking, but it sounds like you want to bake the authentication for connecting to a private repo directly into the yaml file. To my knowledge that isn’t possible.

We are evaluating Docker for AWS as an alternative to our current deployment via EC2 Container Service. In ECS this is just automatic via Roles and Policies given to our InstanceProfile.

Initially before I tried the above workaround I attempted to add the ECR ReadOnly policy to the DockerForAWSProxy InstancePolicy from their CloudFormation. That didn’t work and I’m not entirely sure why. However I think that’s the best solution when you are using DockerForAWS + ECR.

how do aws credential get parse with docker stack deploy ?

@ambrons

a simple
eval $(aws ecr get-login --region us-east-1)
docker stack deploy -c test.yml QA_STATUS --with-registry-auth

did it for me!

thanks for your help

@wannaknowmo that’s great! Glad I could help.

Note there’s an issue with ERC + Docker Swarm thought. The token / password given to you when you run aws ecr get-login... is only good for 12 hours. So if Docker scheduling has to redeploy or replace, etc, etc your application after 12 hours it’ll likely fail to load.

So just keep in mind even though this works it probably not production viable. I’m going to did into seeing if there’s a way to assign the workers and manger of docker swarm access to ECR without having to provide credentials. I believe this is the way that ECS and EB work.

@ambrons, did you find a viable solution to this problem?

Thank you!