Is it possible to use AWS ECR as Docker's Registry?

I understand one way to share docker images is via Docker Hub. Is it possible to also register 3rd party image registries with Docker? For example I’d like to be able for Docker Desktop to automatically pull images from our private repositories on AWS.

If that’s not possible. What’s the recommended workflow with AWS ECR? I’m basically building images on my local PC, pushing them to AWS ECR, and then I want other team members to be able to pull those images. I know the pull part can be done with CLI commands, but I was hoping there was a way to simply add a registry and have Docker Desktop do the pulling itself (sort of like remote git repos work).

Thanks.

As far as I know the registry related features in Docker Desktop are only for Docker Hub. Since we have Docker Extensions, one day someone may create a GUI for other registries too.

If you can’t wait and you are interested in that, you can also create an extension yourself. I haven’t done it yet.

Are you referring to the GUI part of Desktop? (I’ve never used such functionality in the GUI, didn’t even know it exists, if it does.) Or do you expect, say, docker run or docker-compose up to do whatever pulling is required, when using Desktop on Windows or Mac to provide these commands?

I was expecting there to be some way of registering remote repositories with Docker Desktop, so it would know where to pull images from automatically without me having to manually pull them. Looks like there is no such functionality at the moment. I guess like the other poster mentioned a custom extension could be one way of accomplishing that.

I still feel your question may be about Docker in general (say: docker run), not about Desktop in particular (which happens to provide Docker in some virtual machine for Mac and Windows). If true, then I don’t know the answer either but others (possibly people using Linux without Desktop) may know.

Ok, I wasn’t sure what you were getting at. Yes, this is not strictly a Docker Desktop issue. More of a general question then, about registering remote registries.

I thought I understood your question and I did not understand @avbentem, but now I think I still don’t understand what you want, so I start again as if it were my first post :slight_smile:

I quoted the part I don’t understand. The git client can register multiple remote repositories and save it to .git/config. You can pull and push changes, but it will not be done automatically either. So could you clarify what you mean by “automatically” pulling Docker images?

Git repositories have aliases locally so you choose which repositoriy you want to push to or pull from, then run the command. The name of Docker images contain the name and port of the registry, so if you want to push images to different registries, you need to add a new tag and push that. If you want to pull an image, then again, you need to use a different tag containing the hostname of the registry.

Do you really want to pull images automaticaly? Can you tell more about your use case?

Right now the only thing I can think of which could be similar to Git is that you want to save those registries with your credentials so you can always run docker pull without authenticating, which is possible.

Sorry, I am a little confused.

1 Like

It’s my fault not making myself clear, because I’m new to both Docker and AWS.
I also failed to mention I use docker compose at the moment to start a stack of about 8 different services. Some of them publicly available via Docker Hub (like MySql, Reddis, etc.), and some from a private repo in AWS ECR.
Basically my goal is for the following command: docker compose up, to automatically pull all images required for the stack to run. It was doing it fine for the public Docker Hub images (MySql, Reddis etc.). The problem is I did not know how to make it also pull images from private AWS ECR registry.
Before your comment, I was considering writing a Powershell script to scan through docker compose file, identify the private ECR images, and have the script pull them locally before running docker compose up file. But since you mentioned the following:

The name of Docker images contain the name and port of the registry

I’m assuming there is a way to simply set the image: tag inside docker-compose file to point to the AWR ECR registry? And then it’s just a matter of somehow supplying the credentials for docker compose to be able to pull it?

Just add the ECR images using image: {aws_account_id}.dkr.ecr.{region}.amazonaws.com/{your-repo}:{your-tage} (everything in curly brackets must be replaced with their correct value) and make sure you used docker login before. Since the ECR credentials are only temporarily valid, you will have to repeat this command whenever you open a new terminal - for other private registries this is usally cached for as long as you logout from the registry again).

The docker compose command lacks the equivalent of docker-compose pull. It appears that at the moment indeed it is not possible to update images that point to a mutable tag.

1 Like

It actually exists. I used before and I just tested with the latest compose. It still has the pull subcommand.

Just follow Metin’s instructions and use the proper tags, and it should work :slight_smile:

2 Likes

@rimelek thanks for pitching in. I didn’t realize the docker compose plugin for my cli was broken when I was testing it and the build-in docker compose subcommand was executed instead.

The short answer is yes its entirely possible (see the response from @meyay above). AWS ECR supports the registry v2 API as per DockerHub, Quay, et al. The notion of repositories and image versions might take a small mental adjustment but it depends what other experience you have. The main area where many have difficulty is in dealing with the ECR login since that requires not only AWS credentials and one or more policies that provide authentication and access controls to the ECR service and all of the operations needed by that account (push, pull, delete, etc.), but also the separate login to ECR itself which results in temporary credentials being issued (attached to the AWS account and policy). By default the ECR login token expires after 6 hours (or is it 12 … its been a while since I used ECR) so needs to be renewed periodically (login details are cached locally with a timestamp - you could login and get new creds every time but that’s a bit clumsy and unnecessary). The AWS account credentials follow the normal precedence rules for where those can be sourced which no doubt you are familiar with. All of the above is reasonably well documented on AWS and there is a specific credentials helper which can … well help.

HTHs

Fraser.

1 Like

Yes, I managed getting the docker compose to work, after struggling a bit before I was able to find a workaround for a bug in AWS Powershell documentation. I submitted the issue to AWS here: Unable to pipe (Get-ECRLoginCommand).Password to --password-stdin · Issue #270 · aws/aws-tools-for-powershell · GitHub