π
Docs
AWS ECR
Introduction
The AWS Elastic Container Registry (ECR) is a hosted docker repository that requires extra configuration for day-to-day use. This configuration is not typical of other repositories, and there are some considerations to account for when using it with Earthly. This guide will walk you through creating an Earthfile, building an image, and pushing it to ECR.
This guide assumes you have already installed the AWS CLI, and created a new repository named hello-earthly.
Create an Earthfile
No special considerations are needed in the Earthfile itself. You can use
SAVE IMAGE just like any other repository.1
FROM alpine:3.15
2
β
3
build:
4
RUN echo "Hello from Earthly!" > motd
5
ENTRYPOINT cat motd
6
SAVE IMAGE --push <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love
Copied!
Install and Configure the ECR Credential Helper
ECR does not issue permanent credentials. Instead, it relies on your AWS credentials to issue docker credentials. You can follow instructions to log in with generated credentials, but the process will need to be repeated every 12 hours. In practice, this often means lots of glue code in your CI pipeline to keep credentials up to date.
βAWS has released a credential helper to ease logging into ECR. It may be that you already have the credential helper installed, since it has been included with Docker Desktop as of version 2.4.0.0. If not, you can follow installation instructions on their GitHub repository here. Here is a sample
.docker/config.json to enable the usage of this helper:1
{
2
"credHelpers": {
3
"<aws_account_id>.dkr.ecr.<region>.amazonaws.com": "ecr-login"
4
}
5
}
Copied!
IAM
Ensure that you have correct permissions to push the images. The ECR helper is aware of the
AWS_PROFILE variable; and can work under an assumed role. Here is a minimum set of privileges needed to push to ECR from Earthly:1
{
2
"Version": "2008-10-17",
3
"Statement": [
4
{
5
"Sid": "AllowPushPull",
6
"Effect": "Allow",
7
"Principal": {
8
"AWS": [
9
"arn:aws:iam::<aws_account_id>:user/push-pull-user",
10
]
11
},
12
"Action": [
13
"ecr:GetAuthorizationToken",
14
"ecr:GetDownloadUrlForLayer",
15
"ecr:BatchGetImage",
16
"ecr:BatchCheckLayerAvailability",
17
"ecr:PutImage",
18
"ecr:InitiateLayerUpload",
19
"ecr:UploadLayerPart",
20
"ecr:CompleteLayerUpload"
21
]
22
}
23
]
24
}
Copied!
Run the Target
With the helper installed, no special To build and push an image, simply execute the build target. Don't forget the
--push flag!1
β― earthly --push +build
2
buildkitd | Found buildkit daemon as docker container (earthly-buildkitd)
3
alpine:3.15 | --> Load metadata linux/amd64
4
+base | --> FROM alpine:3.15
5
+base | [ββββββββββ] resolve docker.io/library/alpine:[email protected]:0bd0e9e03a022c3b0226667621da84fc9bf562a9056130424b5bfbd8bcb0397f ... 100%
6
+build | --> RUN echo "Hello from Earthly!" > motd
7
output | --> exporting outputs
8
output | [ββββββββββ] exporting layers ... 100%
9
output | [ββββββββββ] exporting manifest sha256:9ab4df74dafa2a71d71e39e1af133d110186698c78554ab000159cfa92081de4 ... 100%
10
output | [ββββββββββ] exporting config sha256:6feef98708c14c000a6489a2a99315a5328c2c16091851ae10438b53f655d042 ... 100%
11
output | [ββββββββββ] pushing layers ... 100%
12
output | [ββββββββββ] pushing manifest for <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love ... 100%
13
output | [ββββββββββ] sending tarballs ... 100%
14
=========================== SUCCESS ===========================
15
Loaded image: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love
16
+build | Image +build as <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love (pushed)
Copied!
Pulling Images
Using this credential helper; you can also pull images without any special handling in an Earthfile:
1
FROM earthly/dind:alpine-main
2
β
3
run:
4
WITH DOCKER --pull <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love
5
RUN docker run <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love
6
END
Copied!
And here is how you would run it:
1
β― earthly -P +run
2
buildkitd | Found buildkit daemon as docker container (earthly-buildkitd)
3
earthly/dind:alpine | --> Load metadata linux/amd64
4
4/hello-earthly:with-love | --> Load metadata linux/amd64
5
4/hello-earthly:with-love | --> DOCKER PULL <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love
6
4/hello-earthly:with-love | [ββββββββββ] resolve <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:[email protected]:9ab4df74dafa2a71d71e39e1af133d110186698c78554ab000159cfa92081de4 ... 100%
7
+base | --> FROM earthly/dind:alpine
8
+base | [ββββββββββ] resolve docker.io/earthly/dind:[email protected]:2cef4089960efe028de40721749e3ec6eba9f471562bf10681de729287bd78fb ... 100%
9
+run | *cached* --> WITH DOCKER (install deps)
10
+run | *cached* --> WITH DOCKER RUN docker run <aws_account_id>.dkr.ecr.<region>.amazonaws.com/hello-earthly:with-love
11
output | --> exporting outputs
12
output | [ββββββββββ] sending tarballs ... 100%
13
=========================== SUCCESS ===========================
Copied!
Troubleshooting
Basic Credentials Not Found
If you get a message saying
basic credentials not found; your distribution may not have the most recent version installed. A simple workaround is to simply prepend AWS_SDK_LOAD_CONFIG=true to your Earthly invocation. This will force the helper to use the SDK over built-in config when executing. You can track this issue.401 Unauthorized
Double-check your AWS credentials, to ensure you have the correct ones set up.
aws configure can help you do this. Also, check IAM to ensure you have the correct permissions (see the IAM section above). Finally, if you use IAM assumed roles, ensure that you have assumed the correct role in your terminal session.If you are using a pull-through-cache, the ECR credential helper may cause 401 failures when fetching metadata from the mirrored registry. You can solve this by manually logging in, instead of using the credential helper. Here is an example of logging in manually:
1
aws ecr get-login-password | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com
Copied!
Last modified 4mo ago