Product
Introducing Ruby Support in Socket
Socket is launching Ruby support for all users. Enhance your Rails projects with AI-powered security scans for vulnerabilities and supply chain threats. Now in Beta!
@aws-cdk/aws-ecr
Advanced tools
@aws-cdk/aws-ecr is an AWS Cloud Development Kit (CDK) library that allows you to define and manage Amazon Elastic Container Registry (ECR) resources using code. ECR is a fully managed Docker container registry that makes it easy to store, manage, and deploy Docker container images.
Create a new ECR Repository
This code sample demonstrates how to create a new ECR repository named 'my-repo' using the AWS CDK.
const ecr = require('@aws-cdk/aws-ecr');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
new ecr.Repository(this, 'MyRepository', {
repositoryName: 'my-repo'
});
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Add lifecycle policy to ECR Repository
This code sample demonstrates how to add a lifecycle policy to an ECR repository to retain only the last 5 images with the 'prod' tag.
const ecr = require('@aws-cdk/aws-ecr');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'MyRepository', {
repositoryName: 'my-repo'
});
repository.addLifecycleRule({
tagPrefixList: ['prod'],
maxImageCount: 5
});
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
Grant permissions to a user
This code sample demonstrates how to grant pull permissions to an IAM user for an ECR repository.
const ecr = require('@aws-cdk/aws-ecr');
const iam = require('@aws-cdk/aws-iam');
const cdk = require('@aws-cdk/core');
class MyStack extends cdk.Stack {
constructor(scope, id, props) {
super(scope, id, props);
const repository = new ecr.Repository(this, 'MyRepository', {
repositoryName: 'my-repo'
});
const user = new iam.User(this, 'MyUser');
repository.grantPull(user);
}
}
const app = new cdk.App();
new MyStack(app, 'MyStack');
The aws-sdk package is the official AWS SDK for JavaScript, which provides a comprehensive set of tools for interacting with AWS services, including ECR. Unlike @aws-cdk/aws-ecr, which is used for defining infrastructure as code, aws-sdk is used for making API calls to AWS services.
The serverless framework is a toolkit for deploying and operating serverless architectures. It supports various AWS services, including ECR, for managing container images. While @aws-cdk/aws-ecr focuses on infrastructure as code, serverless provides a higher-level abstraction for deploying serverless applications.
Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services, including AWS ECR. Terraform and @aws-cdk/aws-ecr both serve the purpose of defining cloud infrastructure, but Terraform is cloud-agnostic and can be used with multiple cloud providers.
This package contains constructs for working with Amazon Elastic Container Registry.
Define a repository by creating a new instance of Repository
. A repository
holds multiple verions of a single container image.
const repository = new ecr.Repository(this, 'Repository');
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images. You can manually scan container images stored in Amazon ECR, or you can configure your repositories to scan images when you push them to a repository. To create a new repository to scan on push, simply enable imageScanOnPush
in the properties
const repository = new ecr.Repository(this, 'Repo', {
imageScanOnPush: true,
});
To create an onImageScanCompleted
event rule and trigger the event target
declare const repository: ecr.Repository;
declare const target: SomeTarget;
repository.onImageScanCompleted('ImageScanComplete')
.addTarget(target);
Besides the Amazon ECR APIs, ECR also allows the Docker CLI or a language-specific Docker library to push and pull images from an ECR repository. However, the Docker CLI does not support native IAM authentication methods and additional steps must be taken so that Amazon ECR can authenticate and authorize Docker push and pull requests. More information can be found at at Registry Authentication.
A Docker authorization token can be obtained using the GetAuthorizationToken
ECR API. The following code snippets
grants an IAM user access to call this API.
const user = new iam.User(this, 'User');
ecr.AuthorizationToken.grantRead(user);
If you access images in the Public ECR Gallery as well, it is recommended you authenticate to the registry to benefit from higher rate and bandwidth limits.
See
Pricing
in https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/ and Service quotas.
The following code snippet grants an IAM user access to retrieve an authorization token for the public gallery.
const user = new iam.User(this, 'User');
ecr.PublicGalleryAuthorizationToken.grantRead(user);
This user can then proceed to login to the registry using one of the authentication methods.
You can set tag immutability on images in our repository using the imageTagMutability
construct prop.
new ecr.Repository(this, 'Repo', { imageTagMutability: ecr.TagMutability.IMMUTABLE });
By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. For more control over the encryption for your Amazon ECR repositories, you can use server-side encryption with KMS keys stored in AWS Key Management Service (AWS KMS). Read more about this feature in the ECR Developer Guide.
When you use AWS KMS to encrypt your data, you can either use the default AWS managed key, which is managed by Amazon ECR, by specifying RepositoryEncryption.KMS
in the encryption
property. Or specify your own customer managed KMS key, by specifying the encryptionKey
property.
When encryptionKey
is set, the encryption
property must be KMS
or empty.
In the case encryption
is set to KMS
but no encryptionKey
is set, an AWS managed KMS key is used.
new ecr.Repository(this, 'Repo', {
encryption: ecr.RepositoryEncryption.KMS
});
Otherwise, a customer-managed KMS key is used if encryptionKey
was set and encryption
was optionally set to KMS
.
import * as kms from '@aws-cdk/aws-kms';
new ecr.Repository(this, 'Repo', {
encryptionKey: new kms.Key(this, 'Key'),
});
You can set life cycle rules to automatically clean up old images from your repository. The first life cycle rule that matches an image will be applied against that image. For example, the following deletes images older than 30 days, while keeping all images tagged with prod (note that the order is important here):
declare const repository: ecr.Repository;
repository.addLifecycleRule({ tagPrefixList: ['prod'], maxImageCount: 9999 });
repository.addLifecycleRule({ maxImageAge: Duration.days(30) });
1.145.0 (2022-02-18)
deployedBucket
attribute for sequencing (#15384) (edac101)FAQs
The CDK Construct Library for AWS::ECR
The npm package @aws-cdk/aws-ecr receives a total of 104,467 weekly downloads. As such, @aws-cdk/aws-ecr popularity was classified as popular.
We found that @aws-cdk/aws-ecr demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket is launching Ruby support for all users. Enhance your Rails projects with AI-powered security scans for vulnerabilities and supply chain threats. Now in Beta!
Product
Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!
Product
We're launching a new set of license analysis and compliance features for analyzing, managing, and complying with licenses across a range of supported languages and ecosystems.