DEV Community

Amazon Lightsail container service access to Amazon ECR private repositories

Amazon Elastic Container Registry (Amazon ECR) is an AWS managed container image registry service that supports private repositories with resource-based permissions using AWS Identity and Access Management (IAM). You can give your Amazon Lightsail container services access to your Amazon ECR private repositories in the same AWS Region. Then, you can deploy images from your private repository to your container services.

Note- We recommend that you use the Lightsail console to manage container service access to Amazon ECR private repositories. When you use the console, you don't have to manually add the Amazon Resource Name (ARN) of the IAM role principal to your private repositories

Required permissions
The user who will manage access for Lightsail container services to Amazon ECR private repositories must have one of the following permissions policies in IAM.

Grant access to any Amazon ECR private repository
The following permissions policy grants a user permission to configure access to any Amazon ECR private repository.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "ManageEcrPrivateRepositoriesAccess",
 "Effect": "Allow",
 "Action": [
 "ecr:SetRepositoryPolicy",
 "ecr:DescribeRepositories",
 "ecr:DeleteRepositoryPolicy",
 "ecr:GetRepositoryPolicy"
 ],
 "Resource": "arn:aws:ecr:*:AwsAccountId:repository/*"
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

In the policy, replace AwsAccountId with your AWS account ID number.

Grant access to a specific Amazon ECR private repository
The following permissions policy grants a user permission to configure access to a specific Amazon ECR private repository, in a specific AWS Region.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "ManageEcrPrivateRepositoriesAccess",
 "Effect": "Allow",
 "Action": [
 "ecr:SetRepositoryPolicy",
 "ecr:DescribeRepositories",
 "ecr:DeleteRepositoryPolicy",
 "ecr:GetRepositoryPolicy"
 ],
 "Resource": "arn:aws:ecr:AwsRegion:AwsAccountId:repository/RepositoryName"
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

In the policy, replace the following example text with your own:

AwsRegion — The AWS Region code (for example, us-east-1) of the private repository. Your Lightsail container service must be in the same AWS Region as the private repositories that you want to access.

AwsAccountId — Your AWS account ID number.

RepositoryName — The name of the private repository for which you want to manage access.

Following is an example of the permissions policy populated with example values.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "ManageEcrPrivateRepositoriesAccess",
 "Effect": "Allow",
 "Action": [
 "ecr:SetRepositoryPolicy",
 "ecr:DescribeRepositories",
 "ecr:DeleteRepositoryPolicy",
 "ecr:GetRepositoryPolicy"
 ],
 "Resource": "arn:aws:ecr:us-east-1:111122223333:repository/my-private-repo"
 }
 ]
}
Enter fullscreen mode Exit fullscreen mode

Manage access to private repositories using the Lightsail console
Complete the following procedure to configure access for a Lightsail container service to an Amazon ECR private repository.

  1. Sign in to the Lightsail console.
  2. On the Lightsail home page, choose the Containers tab.
  3. Choose the name of the container service for which you want to configure access to an Amazon ECR private repository. Image description
  4. Choose the Images tab. Image description
  5. Choose one of the following options in the Amazon ECR private repositories section of the page:
  • Add repository to grant access for your container service to an Amazon ECR private repository. To finish adding the repository, continue to step 6 of this procedure.

  • Remove to remove access for your container service from a previously added Amazon ECR private repository. Access from your container service to the repository is immediately removed.

Image description

  1. In the dropdown that appears, select the private repository that you would like to access. Image description
  2. Choose Add. Lightsail takes a few moments to activate the Amazon ECR image puller IAM role for your container service, which includes a principal Amazon Resource Name (ARN). Lightsail then automatically adds the IAM role principal ARN to the permissions policy of the Amazon ECR private repository that you selected. This grants your container service access to the private repository and its images. Don't close the browser window until the modal that appears indicates that the process is completed and you can choose Continue. Image description
  3. Choose Continue when the activation is completed. The selected Amazon ECR private repository is listed in the Amazon ECR private repositories section of the page. To use an image from your repository, specify the URI format that is displayed on the page in your container service deployment. In the URI, replace the example tag with the tag of the image you want to deploy. Image description

Discussion (0)