Now that you are able to build Docker images without needing a Docker daemon using Jib, your organization most-likely would like to keep those images from being pulled down publicly. In this case it makes sense to store them in a private Docker registry.
Amazon Elastic Container Registry (ECR) is a cheap option to store both, public and private Docker images. It even makes more sense to use AWS ECR if your organization is already invested in other AWS services such as IAM and ECS.
This tutorial covers installing the required software, setting up the AWS infrastructure and configuring settings to push a Docker image to a private Amazon ECR repository.
- Java 7+.
- Maven 3.2+.
- Python 2.6.5+ or Python 3.3+.
- aws-cli 1.x.y with support for AWS ECR operations.
- go language, required by amazon-ecr-credential-helper.
3. INSTALLING MISSING DEPENDENCIES
I’m not going to cover installing Java, Maven and Python. A couple of Google searches will point to resources to do so.
You might have to install or upgrade aws-cli to a newer version for you to be able to run aws-cli ECR operations:
Follow instructions at https://golang.org/doc/install to install go.
This docker-credential-helper requires go-lang, previously installed:
Then move the go to a folder already in the execution PATH:
4. SETUP THE AWS INFRASTRUCTURE
I have being practicing creating dedicated AWS IAM users with privileges and roles for specific tasks, such us Setup a Maven repository using an AWS S3 bucket to store your Java artifacts, Deploying a static Jekyll site to Amazon S3 and so on.
Let’s create an IAM user with privileges to pull and push Docker images from a private ECR repository:
4.1. CREATE AWS IAM POLICY
- Open AWS IAM policies web page
- Click Create policy button
- Click JSON tab and enter this policy code:
Create an AWS IAM Policy for ECR - JSON code
- Click Review policy button
- Name it ecr-authOnly-policy and click Create policy button
4.2. CREATE AWS IAM USER
- Click Users -> Add user button
- Name it ecr-rw-user and check Programmatic access checkbox as the Access type
Create an AWS IAM User for ECR
- Click Next: Permissions button
- Click Attach existing policies directly tab
- Search and select previously created policy ecr-authOnly-policy
Create an AWS IAM User for ECR - Permissions
- Click Next: Review and Create user buttons
- Take note of the user’s Access key ID and Secret access key, you will need it here
Now that you have a dedicated IAM user with the least required privileges to pull / push Docker images from / to an ECR repository, let’s create the repository then:
4.3. CREATE AWS ECR REPOSITORY
- Open AWS ECS web page
- Click Create repository button
- Name it asimio/springboot2-docker-demo and keep note of the autogenerated Repository URI, you will need it here and here
Create an AWS ECR repository - Configuration
- Click Next step and Done buttons
ecr-rw-user IAM entity having
ecr:GetAuthorizationToken permission in its attached policy, ECR repositories also need a resource-based control access policy.
- Click Permissions tab
- Click Add button
- Search for ecr-rw-user in All IAM entities list and » Add it to the Selected IAM entities list
- Check Push/Pull actions in the Actions section. It should check some other permissions
Create an AWS ECR repository - Permissions
- Click Save all button
This is all you need to setup the AWS infrastructure to push private Docker images. Lets now configure the development or build environment.
5. UPDATE GOOGLE JIB CONFIGURATION
Let’s update the existing jib-maven-plugin configuration in
Instead of pushing resulting image to a public Docker hub repository, I’m going to push it to a private Elastic Container Registry repository. But first lets update some configuration settings.
6. LOCAL DOCKER, AWS PERMISSIONS CONFIGURATION
Let’s add a couple of configurations to be able to login to the Amazon ECR repository with specific AWS IAM entity credentials:
credHelpers specifies credential helpers to use over
auths to store and retrieve credentials for specific registries. If set, the binary
docker-credential-<value> will be used for such purposes. In this case
docker-credential-ecr-login installed here.
~/.aws/config allows you to run commands omitting it.
7. BUILDING AND PUSHING THE DOCKER IMAGE
Let’s first build the Java artifact:
And now let’s build and push the Docker image:
AWS_PROFILE enviroment variable to select an AWS profile from
ecr-push-user in this case, created when setting up AWS permissions.
Pushing a Docker image to an AWS ECR repository
Logs and image show a Docker image created using Jib and pushed to a private ECR repository.
The steps outlined in this tutorial don’t need a Docker daemon since
aws ecr get-login is not used.
Hosting your Docker images in Amazon Elastic Container Registry repositories is a very good option if your organization is using or planning to use other AWS services.
Thanks for reading and as always, feedback is very much appreciated. If you found this post helpful and would like to receive updates when content like this gets published, sign up to the newsletter.
8. SOURCE CODE
Accompanying source code for this blog post can be found at: