Working With AWS ECR on Kubernetes Running on Docker for mac

How to pull easily with a bash script images from Amazon ECR (Elastic Container Registry) docker images and run them on local Kubernetes

August 27, 2019
AWS Kubernetes Docker

When you choose to run your kubernetes cluster on AWS, there are 2 easy ways:

  1. The almost valina way using Kops
  2. The amazon way using EKS

The common thing between both ways, is using Amazon ECR for storing the docker images and have a worry free push, pull to and from Amazon ECR which requires a IAM Role that allows the worker nodes pulling the images saftly.

Amazon ECR

Amazon Elastic Container Service is one of the cheapst ways to store docker images and safer due to the nature of Amazon IAM. To pull from ECR you first need to authenticate using you AWS credentials, or role, get a token, do docker login to your ECR with the server address, and pull from the repository the docker image.

Seems hard, well it’s not that bad. Let’s do a short walkthrough from scratch assuming you are on a Mac

# Install awscli
brew install awscli

# Configure awscli
awscli configure
# Follow the configuration prompt putting your Access key and Token, this will create a ~/.aws/credentials file with your credentials

# Login to your ECR in the needed region
$(aws ecr get-login --no-include-email --region eu-west-2)
# This will get the docker login ready with the username, token and registry URL and will execute it.

If everything went ok, then you should get these lines:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

So now you are able to pull and push to ECR, assuming you have the proper permissions.

There are builtin AWS Policies for read only AmazonEC2ContainerRegistryReadOnly For read and write AmazonEC2ContainerRegistryPowerUser And for read, write and delete AmazonEC2ContainerRegistryFullAccess If you have more limitation needed, a specific region or something else, copy the policies and limit on new ones.

Docker for Mac

So, now that we have all ready, lets install docker After installation click the docker icon and select Prefrences and enable Kubernetes and click apply

Pulling docker images

So, now we have a running docker and kubernetes, and we are ready to pull images from ECR, and I’ts quite easy :) I’ve made a short gist that generates a registry-secret named ECR that I can use to pull images

  1. Make sure to set the proper region
  2. Make sure to be in the right kubectl context

Now, we have set in the default Kubernetes namespace a registry secret that allows to pull docker images from ECR, this secret contains the temporary token that AWS API responded with. so, if you have a long running cluster on your machine, you will need to delete and recreate it once the token expired.

AWS Credentials secret

Now let’s make another generic secret containing our AWS credentials with another easy bash script

And now we can deploy any docker image in our ECR that uses aws credentials (On AWS use Roles and not credentials if possible) named aws_credentials.

Sample app deployment from ECR to local Kubernetes

So my yaml deployment will now look like this:

Enjoy your running application on your local Kubernetes cluster pulled from ECR and uses AWS Credentials.

comments powered by Disqus