How to set up ECR as a registry in Rancher and keep the credentials updated.
August 21, 2017aws ecr rancher
NOTE: This article is about Rancher v1. Since Rancher v2 is now in GA, the information here might not be as relevant.
If you’re using AWS, chances are you’ve come across the EC2 Container Service (ECS) and its sibling, the Elastic Container Registry (ECR). While Rancher and ECS overlap in functionality, there is an argument for using ECR if you already have services deployed in AWS. You might not want to run your own registry service such as Gitlab’s Container Registry or jFrog’s Artifactory. You might not want to keep everything public, like you would have to do with the free offering from Docker Hub, and you may not want to pay Docker for private registry space. ECR is a perfectly valid alternative.
Because ECR is an AWS utility, it works with the AWS IAM model. AWS expects that your hosts have ECR access built into their IAM policy to pull and push containers, and any host that lives outside of AWS will need to authenticate and receive a temporary login to use with Docker.
All of this is outlined in the ECR documentation that AWS presents to you when you create a new image repository, but the summary looks something like this:
- Create a repository
- Log into ECR
aws ecr get-login --no-include-email --region us-east-2
- Use the
docker logincommand returned to you to authenticate against ECR
- Build your image
- Tag the image for your ECR repo, which will be named something like
- Push the image to ECR like any other registry
Using ECR With Rancher
Because of the IAM model and the temporary keys, Rancher needs to know how to fetch and update the temporary login. We use the ECR Credential Updater catalog item to do this.
- From Infrastructure Stacks, choose Add From Catalog
- Choose the ECR Credential Updater item
- Enter your IAM access and secret keys
- Choose your EC2 region
- If you wish for Rancher to create the Registry item for you in its configuration (if you haven’t already done so), select true under Auto Create
- Click Launch
Rancher will install the item and create the registry if you told it to do so. When this is done, you will be able to deploy images from ECR the way you can with any other registry, in both Cattle and Kubernetes.