image
ECR - Elastic Container Registry

Contents

Introduction
1
Introduction
PREVIEW4m 38s
What is Compute?
2
What is Compute in AWS?
PREVIEW2m 13s
Summary
11
Summary
7m 48s

The course is part of these learning paths

Entering the AWS world
11
5
Becoming an AWS Cloud Architect — Starter
33
9
15
1
Get Started Building Cloud Solutions
14
6
1
Fundamentals of AWS
10
7
6
2
more_horizSee 1 more
ECR - Elastic Container Registry
Overview
Difficulty
Beginner
Duration
1h 19m
Students
62090
Ratings
4.7/5
starstarstarstarstar-half
Description

Understanding the fundamentals of AWS is critical if you want to deploy services and resources within the AWS Cloud. The Compute category of services are key resources that allow you to carry out computational abilities via a series of instructions used by applications and systems. These resources cover a range of different services and features, these being:

  • EC2 - Amazon Elastic Compute Cloud 
  • ECS - Amazon Elastic Container Service
  • ECR - Amazon Elastic Container Registry
  • EKS - Amazon Elastic Container Service for Kubernetes
  • AWS Elastic Beanstalk
  • AWS Lambda
  • AWS Batch
  • Amazon Lightsail

This course will provide the fundamental elements of all of these Compute services and features that will allow you to select the most appropriate service for your project and implementations. Each have their advantages by providing something of value that’s different to the others, which will all be discussed.

Topics covered within this course consist of:

  • What is Compute:  This lecture explains what 'Compute' is and what is meant by Compute resources and services
  • Amazon Elastic Compute Cloud (EC2): This is one of the most common Compute services, as a result this will likely be the longest lecture as you will cover a lot of elements around EC2 to ensure you are aware of how it’s put together and how it works
  • Amazon ECS (EC2 Container Service): Within this lecture you will gain a high-level overview of what the EC2 Container Service is and how it relates to Docker
  • Amazon Elastic Container Registry: In this lecture you will consider how this service links closely with ECS to provide a secure location to store and manage your docker images
  • Amazon Elastic Container Service for Kubernetes (EKS): Here you will look at how EKS provides a managed service, allowing you to run Kubernetes across your AWS infrastructure without having to take care of running the Kubernetes control plane
  • AWS Elastic Beanstalk: This lecture will provide an overview of the service, showing you how it’s used to automatically deploy applications using EC2 and a number of other AWS services
  • AWS Lambda: This lecture covers the Lambda ‘serverless’ service, where you will explore what serverless means and how this service is used to run your own code in response to events
  • AWS Batch: Here you will consider a high-level overview of this service that relates to Batch Computing
  • Amazon Lightsail: Finally we will look at Amazon Lightsail, a Virtual Private Server solution used for small-scale projects and use cases

If you want to learn the differences between the different Compute services, then this course is for you! 

With demonstrations provided, along with links to a number of our labs that allow you to gain hands-on experience in using many of these services, you will gain a solid understanding of the Compute services used within AWS.

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.

Transcript

Resources referenced within this lecture:

Overview of AWS Identity & Access Managment (IAM)

Docker Push

Docker Pull

 

Transcript

Hello and welcome to this lecture covering the Elastic Container Registry service, known as ECR. This service links closely with the previous service discussed, the EC2 Container Service, as it provides a secure location to store and manage your docker images that can be distributed and deployed across your applications. 

This is a fully managed service, and as a result, you do not need to provision any infrastructure to allow you to create this registry of docker images. This is all provisioned and managed by AWS. This service is primarily used by developers, allowing them to push, pull, and manage their library of docker images in a central and secure location. 

To understand the service better, let's look at some components used. These being, registry, authorization token, repository, repository policy, and image. Let's take a look at the registry first. The ECR registry is the object that allows you to host and store your docker images in, as well as create image repositories. Within your AWS account, you will be provided with a default registry. When your registry is created, then by default, the URL for the registry is as follows:

https://aws_account_id.dkr.ecr.region.amazonaws.com

where you'll need to replace the red text with your own information that is applicable to your account or medium. Your account will have both read and write access by default to any images you create within the registry and any repositories. Access to your registry and images can be controlled via IAM policies in addition to repository policies as well, to enforce tighter and stricter security controls. As the docker command line interface doesn't support the different AWS authentication methods that are used, then before your docker client can access your registry, It needs to be authenticated as an AWS user, which will then allow your client to both push and pull images. And this is done by using an authorization token. To begin the authorization process to allow your docker client to communicate with the default registry, you can run the get login command using the AWS CLI, as shown:

aws ecr get-login --region region --no-include-email

where the red text should be replaced with your own region. This will then produce an output response, which will be a docker login command.

docker login -u AWS -p password https://aws_account_id.dkr.ecr.region.amazonaws.com

You must then copy this command and paste it into your docker terminal which will then authenticate your client and associate a docker CLI to your default registry. This process produces an authorization token that can be used within the registry for 12 hours, at which point, you will need to re-authenticate by following the same process. The repository are objects within your registry that allow you to group together and secure different docker images. You can create multiple repositories with the registry, allowing you to organize and manage your docker images into different categories. 

Using policies from both IAM and repository policies, you can assign permissions to each repository allowing specific users to perform certain actions, such as performing a push or pull IP line. As I just mentioned, you can control access to your repository and images using both IAM policies and repository policies. There are a number of different IAM managed policies to help you control access to ECR, these being the three shown on the screen.

AmazonEC2ContainerRegistryFullAccess
AmazonEC2ContainerRegistryPowerUser
AmazonEC2ContainerRegistryReadOnly

For more information on IAM and policies, please refer to our system course here, which covers IAM and policy creation and management. Repository policies are resource-based policies, which means you need to ensure you add a principle to the policy to determine who has access and what permissions they have. It's important to be aware of that for an AWS user to gain access to the registry, they will require access to the ecr get authorization token API call. Once they have this access, repository policies can control what actions those users can perform on each of the repositories. These resource-based policies are created within ECR itself and within each other repositories that you have. Once you have configured your registry, repositories, and security controls, and authenticated your docker client with ECR, you can then begin storing your docker images in the required repositories, ready to then pull down again as and when required. 

To push an image into ECR, you can use the docker push command, and to retrieve and image you can use the docker pull command. For more information on how to perform both a push and a pull of images, please see the following links.

Docker Pushhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-push-ecr-image.html

Docker Pullhttps://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html

That now brings me to the end of this lecture covering the Elastic Container Registry service. Coming up in the next lecture, I shall be looking at the Amazon Elastic Container Service for Kubernetes, known as EKS.

About the Author
Avatar
Stuart Scott
AWS Content Director
Students
229749
Labs
1
Courses
216
Learning Paths
178

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.

Covered Topics

Amazon Web ServicesCompute for AWSAnalytics for AWSNetworking for AWSElastic Load BalancingAWS LambdaAmazon EC2Amazon LightsailAWS Elastic BeanstalkAmazon EKSAmazon Elastic Container Service (ECS)Amazon Elastic Container Registry (ECR)AWS BatchServerlessContainersNetworkingAnalyticsComputeHigh Availability