skip to Main Content

I’m now having a private ECR repo and a EC2 instance. If I would like to pull the image from the private ECR in my local machine, I have to setup my AWS credential by using aws configure and perform a docker login.

And now, I want to pull image from the EC2 instance. When I am trying to run docker command directly, it told me to authenticate first. Is it possible to attach IAM role to my EC2 instance and skip the docker login or aws ecr login workflow?

At this moment, I can only run aws configure inside the EC2 instance, and it seems need an extra IAM user which I am trying to avoid.

3

Answers


  1. I have to setup my AWS credential by using aws configure and perform a docker login.

    You don’t have to. If your code runs on EC2, you should use instance IAM role instead of regular setup of aws credentials using aws configure.

    Login or Signup to reply.
  2. You don’t have to run aws configure in on EC2 machine, in fact this would a bad security practice. You should attach an AWS role which allows the EC2 instance to fetch image and more importantly, be abel to grab the authorization token for the ECR registry. For example, you can create a policy with the following permissions to have read-only access to ECR images:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchGetImage",
                    "ecr:DescribeImages",
                    "ecr:GetAuthorizationToken",
                    "ecr:ListImages"
                ],
                "Resource": "*"
            }
        ]
    }
    

    Using this policy, create a new IAM service role and attach it attached to the EC2 instance.

    Now, even if you have this role attached, you will have to authenticate the Docker CLI using an authorization token.

    Login or Signup to reply.
  3. In addition to the other answers posted here stating you should use the EC2 IAM role instead of configuring a role with aws configure, I also suggest installing the Amazon ECR Credential Helper on your EC2 instance. Then you won’t have to perform a docker login.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search