18

What is the best practice to pull a Docker image located in a repository in ECS from an EC2 instance?

  • I pushed Docker images into my repository located under ECS.
  • I would like to launch an EC2 instance and pull these images from it.

I am used to take advantage of the ECS task. To just run a Docker container for 5min, I need to go to Auto-Scale, set the minimum at 1, go to the ECS page, wait for an instance to be up and run my task. Too annoying for my personal use. I'd like to run it quickly and stop it quickly.

I wanted to simply run my Docker container but ok, that's not possible, then I am thinking of creating an EC2 template that will directly run my Docker container inside an EC2 instance.

  • How to do it?
  • How can I handle the keys/users and the AWS CLI inside my EC2? (Access/Secret Access Key are limited to 30min, I can't write it clearly in the User Data of an EC2 instance/template)

I think my need is very basic and I couldn't find the best way to do it. Blog articles mainly explain how to run Docker on Linux, not the best way to do it on AWS.

Improve this question

1 Answer 1

Reset to default
40

This can be accomplished with a combination of the EC2 instance role, and a script that performs docker login followed by a docker pull for your pushed image.

Pre-requisites: An EC2 instance with the AWS CLI and Docker installed.

First, you'll have to add the inbuilt AmazonEC2ContainerRegistryReadOnly IAM policy to your EC2 instance's IAM role (this grants read access to all pushed images). If you'd like things to be more restrictive, you can use the following policy instead:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GrantSingleImageReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage"
      ],
      "Resource": "<aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>"
    },
    {
      "Sid": "GrantECRAuthAccess",
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}

Next, you'll have to create a script to perform login and image pull for you. A typical script would look something like this:

aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<region>.amazonaws.com;
docker pull <aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>:<optional-tag>;

Note that this script will have to run as the root user for proper Docker daemon access.

Another way of solving this altogether would be to look into automation options for ECS tasks.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Important note: if you attach an IAM policy to an EC2 instance, most AWS tools will be able to find the credentials that come from that automatically; you don't need to manually set or pass around an AWS access key ID.
It's exactly what I was about to ask before reading your comment. That's very nice and I was afraid of that. Thanks!
I'd like to avoid ECS tasks that are good only if we want them all the time. Your solution is working perfectly flawlessly. Thanks Kunal!
The command is wrong, it should be "aws ecr get-login-password --region <region>| docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<region>.amazonaws.com" and then can pull image "docker pull <aws-account-id>.dkr.ecr.<region>.amazonaws.com/<image-name>:<optional-tag>"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.