How to make 'aws ecr get-login' across regions?

3
votes

I have a docker registry in AWS ECR in region 'us-east-1'. Everything works fine on EC2 instances launched in 'us-east-1'. But when I launch an instance in 'eu-central-1' and try to run

$(aws ecr get-login --region us-east-1)

I get the following response

Error response from daemon: Get https://acc-id.dkr.ecr.us-east-1.amazonaws.com/v2/: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

If I run

aws ecr get-login --region us-east-1

I do see the following response

docker login -u AWS -p xxxx -e none https://acc_id.dkr.ecr.us-east-1.amazonaws.com

Ec2 instance has the following policy for the iam-role:

"Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:PutImage" ], "Resource": "*" }

Please tell me how can I have this cross-region ECR accessibility.

1
amazon-web-servicesamazon-ecs
this post helped dhimanvivek.com/aws/…Vivek

1 Answers

3
votes

Below procedure can be used for cross region image pull from ECR:

$(aws ecr get-login --no-include-email --region <region having repository> --registry-ids <id>)

docker pull <id>.dkr.ecr.us-west-1.amazonaws.com/<image_name>:<tag>

Below sample shows instance in region us-east-1 is pulling AWS Deep Learning Container Image from ECR hosted in us-west-1

To get region from EC2 instance metadata:

curl --silent http://169.254.169.254/latest/dynamic/instance-identity/document | grep region
  "region" : "us-east-1"

ECR Login:

$(aws ecr get-login --no-include-email --region us-west-1 --registry-ids 763104351884)
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Docker Pull:

docker pull 763104351884.dkr.ecr.us-west-1.amazonaws.com/tensorflow-training:1.13-cpu-py27-ubuntu16.04
1.13-cpu-py27-ubuntu16.04: Pulling from tensorflow-training
34667c7e4631: Already exists 
d18d76a881a4: Already exists 
119c7358fbfc: Already exists 
2aaf13f3eff0: Already exists 
7b890657bd19: Already exists 
f095a52e6583: Already exists 
182b3abfb706: Already exists 
89cc0ffab23c: Already exists 
7a24716f4857: Already exists 
Digest: sha256:65c7f58ac49ed39d5b6bde4f3800dbbf8d9f99b5316292b27315fb6a4b8be56b
Status: Downloaded newer image for 763104351884.dkr.ecr.us-west-1.amazonaws.com/tensorflow-training:1.13-cpu-py27-ubuntu16.04