What is @aws-cdk/aws-ecr?
@aws-cdk/aws-ecr is an AWS Cloud Development Kit (CDK) library that allows you to define and manage Amazon Elastic Container Registry (ECR) resources using code. ECR is a fully managed Docker container registry that makes it easy to store, manage, and deploy Docker container images.
What are @aws-cdk/aws-ecr's main functionalities?
Create a new ECR Repository
This code sample demonstrates how to create a new ECR repository named 'my-repo' using the AWS CDK.
const ecr = require('@aws-cdk/aws-ecr');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
new ecr.Repository(this, 'MyRepository', {
repositoryName: 'my-repo'
});
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Add lifecycle policy to ECR Repository
This code sample demonstrates how to add a lifecycle policy to an ECR repository to retain only the last 5 images with the 'prod' tag.
const ecr = require('@aws-cdk/aws-ecr');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'MyRepository', {
repositoryName: 'my-repo'
});
repository.addLifecycleRule({
tagPrefixList: ['prod'],
maxImageCount: 5
});
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Grant permissions to a user
This code sample demonstrates how to grant pull permissions to an IAM user for an ECR repository.
const ecr = require('@aws-cdk/aws-ecr');
const iam = require('@aws-cdk/aws-iam');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'MyRepository', {
repositoryName: 'my-repo'
});
const user = new iam.User(this, 'MyUser');
repository.grantPull(user);
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Other packages similar to @aws-cdk/aws-ecr
aws-sdk
The aws-sdk package is the official AWS SDK for JavaScript, which provides a comprehensive set of tools for interacting with AWS services, including ECR. Unlike @aws-cdk/aws-ecr, which is used for defining infrastructure as code, aws-sdk is used for making API calls to AWS services.
serverless
The serverless framework is a toolkit for deploying and operating serverless architectures. It supports various AWS services, including ECR, for managing container images. While @aws-cdk/aws-ecr focuses on infrastructure as code, serverless provides a higher-level abstraction for deploying serverless applications.
terraform
Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services, including AWS ECR. Terraform and @aws-cdk/aws-ecr both serve the purpose of defining cloud infrastructure, but Terraform is cloud-agnostic and can be used with multiple cloud providers.
Amazon ECR Construct Library
This package contains constructs for working with Amazon Elastic Container Registry.
Repositories
Define a repository by creating a new instance of Repository
. A repository
holds multiple verions of a single container image.
const repository = new ecr.Repository(this, 'Repository');
Image scanning
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. You can manually scan container images stored in Amazon ECR, or you can configure your repositories to scan images when you push them to a repository. To create a new repository to scan on push, simply enable imageScanOnPush
in the properties
const repository = new ecr.Repository(stack, 'Repo', {
imageScanOnPush: true
});
To create an onImageScanCompleted
event rule and trigger the event target
repository.onImageScanCompleted('ImageScanComplete')
.addTarget(...)
Authorization Token
Besides the Amazon ECR APIs, ECR also allows the Docker CLI or a language-specific Docker library to push and pull
images from an ECR repository. However, the Docker CLI does not support native IAM authentication methods and
additional steps must be taken so that Amazon ECR can authenticate and authorize Docker push and pull requests.
More information can be found at at Registry Authentication.
A Docker authorization token can be obtained using the GetAuthorizationToken
ECR API. The following code snippets
grants an IAM user access to call this API.
import * as iam from '@aws-cdk/aws-iam';
import * as ecr from '@aws-cdk/aws-ecr';
const user = new iam.User(this, 'User', { ... });
ecr.AuthorizationToken.grantRead(user);
If you access images in the Public ECR Gallery as well, it is recommended you authenticate to the registry to benefit from
higher rate and bandwidth limits.
See Pricing
in https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/ and Service quotas.
The following code snippet grants an IAM user access to retrieve an authorization token for the public gallery.
import * as iam from '@aws-cdk/aws-iam';
import * as ecr from '@aws-cdk/aws-ecr';
const user = new iam.User(this, 'User', { ... });
ecr.PublicGalleryAuthorizationToken.grantRead(user);
This user can then proceed to login to the registry using one of the authentication methods.
Image tag immutability
You can set tag immutability on images in our repository using the imageTagMutability
construct prop.
new ecr.Repository(stack, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
Automatically clean up repositories
You can set life cycle rules to automatically clean up old images from your
repository. The first life cycle rule that matches an image will be applied
against that image. For example, the following deletes images older than
30 days, while keeping all images tagged with prod (note that the order
is important here):
repository.addLifecycleRule({ tagPrefixList: ['prod'], maxImageCount: 9999 });
repository.addLifecycleRule({ maxImageAge: cdk.Duration.days(30) });