The default way to authen then talk with registry is through
docker login.
The user name is aws and password could be retrieve using
Aws ecr get-token
So far it’s pretty straightforward.
However, there is a caveat there. The token from aws CLI is valid for 12 hours only, this is aws’s approach to secure the access, in case the token is compromised, it’s to be expired then only authorised could retrieve the new token.
One possible approach to keep the docker CLI work is to refresh the
Docker login
Every 12 hours. Which is not difficult however is very ugly.
Instead, aws has this Credential helper. So with the Aws-ecr-Credential-helper installed, when we run docker CLI, it’s able to pick up the config from ~/.docker/config.json
"credHelpers": { "aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login" }
That it would leverage on the helper to talk to the specific ecr instance. And the helper in turn would leverage on pre-configured ~/.aws/credential & ~/.aws/config to pick up the right access key and secret etc to talk with ecr.
This is a cool solution not only for Docker CLI but actually a lot serverless platform as well which relies on containers.