AWS ECR is a fully-managed Docker container registry, making it easy for developers to store, manage, and deploy container images. It’s integrated with Amazon EC2 simplifying your development to production workflow, eliminating the need to operate your own container repositories.
Amazon Elastic Container Registry (AWS ECR) is an Amazon Web Service (AWS) product that stores, manages and deploys Docker images, which are managed clusters of Amazon EC2 instances. Amazon ECR allows all AWS developers to save configurations and quickly move them into a production environment, thus reducing overall workloads.
Amazon ECR is a regional service.
AWS ECR provides a command-line interface (CLI) and APIs to manage repositories and integrated services, such as Amazon Elastic Container Service (Amazon ECS), which installs and manages the infrastructure for these containers. The primary difference between Amazon ECR and ECS is that while ECR provides the repository that stores all code that has been written and packaged as a Docker image, the ECS takes these files and actively uses them in the deployment of applications.
AWS ECR Benefits:
- Integrated role-based access control across all AWS services (IAM)
- Comprehensive, cross service API audit logging and security (CloudTrail)
- Integration with other AWS services (24×7 support and consolidated billing)
- Training and architectural patterns/guidance (well architected)
- No software to install/manage or infrastructure to scale
- Transfers container images over HTTPS; automatically encrypts images at rest
- Highly scalable, redundant, and durable architecture
- Integrates with Amazon ECS, Docker CLI easing development/production workflows
Other benefits are:
- High availability – The Amazon ECR architecture is highly scalable, durable and redundant. As a result, the Docker images are easily available and accessible and users can feasibly and dependably deploy new containers for their applications.
- Streamlines workflow – Integration with Amazon ECS and the Docker CLI allows users to simplify their development and production work processes by facilitating continuous integration (CI) and continuous deployment (CD) in Amazon ECS. Furthermore, container images can be easily pushed to Amazon ECR with the Docker CLI. From there, Amazon ECS can easily pull the images directly and use them for production deployments.
- Completely managed – Amazon ECR does not include any software that will need to be installed and managed or an infrastructure that has to be scaled. Users simply push images to ECR and pull them with any container management tool when they’re needed.
How AWS ECR works:
Amazon Elastic Container Registry writes and packages code in the form of a Docker image. It compresses, encrypts and manages access to the images — including all tags and versions — and controls image lifecycles. Amazon ECS pulls the necessary Docker images from the ECR to be used in the deployment of apps and continues to manage containers everywhere — including Amazon Elastic Kubernetes Service (Amazon EKS), AWS cloud and on premise networks.
Amazon ECR automatically encrypts container images at rest with Amazon Simple Storage Service (Amazon S3) server-side encryption and allows administrators to use AWS Identity and Access Management (AWS IAM) to create restrictions that limit access to each repository. The container registry stores container images in S3 for high availability.
Components of AWS ECR:
Amazon ECR includes:
1) Docker images – This is the file that is used to execute code within a Docker container.
2) Repository – The Docker images are stored in the Amazon ECR repository. Developers can push and pull images to the repository. ECR uses resource-based permissions to let you specify who has access to a repository and what actions they can perform on it.
ECR lifecycle policies enable you to specify the lifecycle management of images in a repository.
3) Repository policy – Developers can use these policies to manage access to the repositories and the images within them.
4) Registry – All AWS accounts receive access to Amazon ECR that allows them to create repositories and store images in them. The URL for your default registry is https://aws_account_id.dkr.ecr.region.amazonaws.com.
5) Authorization token – Before it can push and pull images, the Docker client must be recognized as an AWS account holder. The AWS CLI get-login command provides you with authentication credentials to pass to Docker.