Given the setup of:
- Application developed locally and pushed to an EC2 Container Registry private registry
- An Elastic Beanstalk environment set with a Docker host
In order to deploy my application, the Elastic Beanstalk single container guide says to make a Dockerrun.aws.json file.
The Elastic Beanstalk guide also says that to use images from (any) private repository, there needs to be a credentials file (with authentication token and email address) added to an S3 bucket.
Authentication to the EC2 Container Registry involves querying for a token that the docker login command can use, but it's only valid for 12 hours.
So, in theory, I can follow the Elastic Beanstalk guide, and use the aws ecr get-login, docker login ... command to get Docker to create the config file I need, convert that to a .dockercfg file and put it on S3.
If I then upload my Dockerrun.aws.json file as a new application version to Elastic Beanstalk, I can deploy it right then, if 12 hours haven't elapsed.
My concern is what happens after those 12 hours? If Elastic Beanstalk needs to auto-scale my application and spin up more instances, if it tries to use that S3-stored credential it will fail. Or if I realize I need to roll back to a previous version of my application, I can't just do that through the Elastic Beanstalk list of past application versions; I need to be on a machine with the AWS CLI installed and do the aws ecr get-login, docker login ..., upload to S3 dance again?
Is there a less fragile way to set up the authentication between Elastic Beanstalk and the EC2 Container Registry such that the 12-hour timeout isn't an issue?
Dockerrun.aws.jsonfile, but that version also requires theauthenticationparameter point to a static, S3-hosted configuration file, so not sure how that solves the problem? – MidnightLightningDoes Amazon ECR work with AWS Elastic Beanstalk?.aws.amazon.com/ecr/faqs – Shibashis