Skip to content

Public endpoint for AWS Elastic Container Registry

License

Notifications You must be signed in to change notification settings

rshillington/aws-ecr-public

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Public AWS Elastic Container Registry

Host any Elastic Container Registry (ECR) publicly on a custom domain using this serverless proxy.

Give it a spin:

# pull a container from a registry named nginx with no authentication
docker pull v3iomfy255.execute-api.us-east-2.amazonaws.com/nginx:alpine

Solution Overview

ECR doesn't support public registries. Instead, the docker client needs to authenticate with ECR using AWS IAM credentials which requires the AWS CLI or an SDK that can generate those credentials.

If you would like to make your registries publicly available then this solution can help. It deploys an API Gateway and a Lambda function that act as a proxy for AWS ECR. Custom authentication can easily be added in the API Gateway. Roll your own JWT-based authentication or whatever you desire. Additionally, you can configure the API Gateway to be private and thus limit access to docker clients within your VPC.

diagram

Deploy

launch

Download Template

Template Parameters

Parameter Required Description
DomainName No If provided an ACM Certificate and API Domain Name will be created
ValidationDomain No Overwrite default Validation Domain for ACM Certificate
ValidationMethod Yes, Default: EMAIL Allow you to use DNS instead of EMAIL for Certificate validation

FAQ

How can I host this proxy on a custom domain?

Simply provide the DomainName parameter when you create the stack. This will create an ACM certificate and API Domain Name resource. The Regional Domain Name and Hosted Zone ID can be found in the outputs tab of the stack. You will need those to create the DNS record in Route 53 (or similar DNS service).

For Route 53, open your hosted zone, create a New Record Set, enter the domain name, set Alias to Yes and paste the RegionalDomainName in the Alias Target field.

How can I restrict access to certain registries?

By default all registries in the account and region will be made publicly available. To limit the number of publicly available repositores, attach a custom policy to the Lambda execution role (look for ${AWS::StackName}-LambdaRole-*). The following policy will restrict public access to the myapp repository (make sure you replace the variables with your region and account id).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage"
            ],
            "NotResource": [
                "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/myapp"
            ],
            "Effect": "Deny"
        }
    ]
}

Develop

npm install --global cfn-include
make build
make test  # create/update CloudFormation stack
make clean # delete CloudFormation stack

In the works

  • Cross-account and cross-region access to registries
  • Tag-based permissions
  • Implement additional endpoints for listing images and tags

About

Public endpoint for AWS Elastic Container Registry

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 78.9%
  • Makefile 21.1%