Using Amazon ECR With Rancher

How to set up ECR as a registry in Rancher and keep the credentials updated.
August 21, 2017
aws ecr rancher

NOTE: This article is about Rancher v1. Since Rancher v2 is now in GA, the information here might not be as relevant.

ECR Overview

If you’re using AWS, chances are you’ve come across the EC2 Container Service (ECS) and its sibling, the Elastic Container Registry (ECR). While Rancher and ECS overlap in functionality, there is an argument for using ECR if you already have services deployed in AWS. You might not want to run your own registry service such as Gitlab’s Container Registry or jFrog’s Artifactory. You might not want to keep everything public, like you would have to do with the free offering from Docker Hub, and you may not want to pay Docker for private registry space. ECR is a perfectly valid alternative.

Because ECR is an AWS utility, it works with the AWS IAM model. AWS expects that your hosts have ECR access built into their IAM policy to pull and push containers, and any host that lives outside of AWS will need to authenticate and receive a temporary login to use with Docker.

All of this is outlined in the ECR documentation that AWS presents to you when you create a new image repository, but the summary looks something like this:

Using ECR With Rancher

Because of the IAM model and the temporary keys, Rancher needs to know how to fetch and update the temporary login. We use the ECR Credential Updater catalog item to do this.

Rancher will install the item and create the registry if you told it to do so. When this is done, you will be able to deploy images from ECR the way you can with any other registry, in both Cattle and Kubernetes.