Package software.amazon.awscdk.services.ecr
Amazon ECR Construct Library
This package contains constructs for working with Amazon Elastic Container Registry.
Repositories
Define a repository by creating a new instance of Repository. A repository
holds multiple versions of a single container image.
Repository repository = new Repository(this, "Repository");
Image scanning
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.
You can manually scan container images stored in Amazon ECR, or you can configure your repositories
to scan images when you push them to a repository. To create a new repository to scan on push, simply
enable imageScanOnPush in the properties.
Repository repository = Repository.Builder.create(this, "Repo")
.imageScanOnPush(true)
.build();
To create an onImageScanCompleted event rule and trigger the event target
Repository repository;
SomeTarget target;
repository.onImageScanCompleted("ImageScanComplete").addTarget(target);
Authorization Token
Besides the Amazon ECR APIs, ECR also allows the Docker CLI or a language-specific Docker library to push and pull images from an ECR repository. However, the Docker CLI does not support native IAM authentication methods and additional steps must be taken so that Amazon ECR can authenticate and authorize Docker push and pull requests. More information can be found at at Registry Authentication.
A Docker authorization token can be obtained using the GetAuthorizationToken ECR API. The following code snippets
grants an IAM user access to call this API.
User user = new User(this, "User"); AuthorizationToken.grantRead(user);
If you access images in the Public ECR Gallery as well, it is recommended you authenticate to the registry to benefit from higher rate and bandwidth limits.
See
Pricingin https://aws.amazon.com/blogs/aws/amazon-ecr-public-a-new-public-container-registry/ and Service quotas.
The following code snippet grants an IAM user access to retrieve an authorization token for the public gallery.
User user = new User(this, "User"); PublicGalleryAuthorizationToken.grantRead(user);
This user can then proceed to login to the registry using one of the authentication methods.
Other Grantee
grantPush
The grantPush method grants the specified IAM entity (the grantee) permission to push images to the ECR repository. Specifically, it grants permissions for the following actions:
- 'ecr:CompleteLayerUpload'
- 'ecr:UploadLayerPart'
- 'ecr:InitiateLayerUpload'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:PutImage'
- 'ecr:GetAuthorizationToken'
Here is an example of granting a user push permissions:
Repository repository;
Role role = Role.Builder.create(this, "Role")
.assumedBy(new ServicePrincipal("codebuild.amazonaws.com"))
.build();
repository.grantPush(role);
grantPull
The grantPull method grants the specified IAM entity (the grantee) permission to pull images from the ECR repository. Specifically, it grants permissions for the following actions:
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
- 'ecr:GetAuthorizationToken'
Repository repository;
Role role = Role.Builder.create(this, "Role")
.assumedBy(new ServicePrincipal("codebuild.amazonaws.com"))
.build();
repository.grantPull(role);
grantPullPush
The grantPullPush method grants the specified IAM entity (the grantee) permission to both pull and push images from/to the ECR repository. Specifically, it grants permissions for all the actions required for pull and push permissions.
Here is an example of granting a user both pull and push permissions:
Repository repository;
Role role = Role.Builder.create(this, "Role")
.assumedBy(new ServicePrincipal("codebuild.amazonaws.com"))
.build();
repository.grantPullPush(role);
By using these methods, you can grant specific operational permissions on the ECR repository to IAM entities. This allows for proper management of access to the repository and ensures security.
Image tag immutability
You can set tag immutability on images in your repository using the imageTagMutability construct prop.
Repository.Builder.create(this, "Repo").imageTagMutability(TagMutability.IMMUTABLE).build();
Image tag mutability with exclusion filters
ECR supports more granular control over image tag mutability by allowing you to specify exclusion filters. This enables you to make your repository immutable while allowing specific tag patterns to remain mutable (or vice versa).
There are two new mutability options that work with exclusion filters:
MUTABLE_WITH_EXCLUSION: Tags are mutable by default, except those matching the exclusion filtersIMMUTABLE_WITH_EXCLUSION: Tags are immutable by default, except those matching the exclusion filters
Use ImageTagMutabilityExclusionFilter.wildcard() to create filters with wildcard patterns:
// Make all tags immutable except for those starting with 'dev-' or 'test-'
// Make all tags immutable except for those starting with 'dev-' or 'test-'
Repository.Builder.create(this, "Repo")
.imageTagMutability(TagMutability.IMMUTABLE_WITH_EXCLUSION)
.imageTagMutabilityExclusionFilters(List.of(ImageTagMutabilityExclusionFilter.wildcard("dev-*"), ImageTagMutabilityExclusionFilter.wildcard("test-*")))
.build();
// Make all tags mutable except for production releases
// Make all tags mutable except for production releases
Repository.Builder.create(this, "Repo")
.imageTagMutability(TagMutability.MUTABLE_WITH_EXCLUSION)
.imageTagMutabilityExclusionFilters(List.of(ImageTagMutabilityExclusionFilter.wildcard("prod-*"), ImageTagMutabilityExclusionFilter.wildcard("release-v*")))
.build();
Exclusion filter pattern rules
- Patterns can contain alphanumeric characters, dots (.), underscores (_), hyphens (-), and asterisks (*) as wildcards
- Maximum pattern length is 128 characters
- You can specify up to 5 exclusion filters per repository
Encryption
By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. For more control over the encryption for your Amazon ECR repositories, you can use server-side encryption with KMS keys stored in AWS Key Management Service (AWS KMS). Read more about this feature in the ECR Developer Guide.
When you use AWS KMS to encrypt your data, you can either use the default AWS managed key, which is managed by Amazon ECR, by specifying RepositoryEncryption.KMS in the encryption property. Or specify your own customer managed KMS key, by specifying the encryptionKey property.
When encryptionKey is set, the encryption property must be KMS or empty.
In the case encryption is set to KMS but no encryptionKey is set, an AWS managed KMS key is used.
Repository.Builder.create(this, "Repo")
.encryption(RepositoryEncryption.KMS)
.build();
Otherwise, a customer-managed KMS key is used if encryptionKey was set and encryption was optionally set to KMS.
import software.amazon.awscdk.services.kms.*;
Repository.Builder.create(this, "Repo")
.encryptionKey(new Key(this, "Key"))
.build();
Automatically clean up repositories
You can set life cycle rules to automatically clean up old images from your repository. The first life cycle rule that matches an image will be applied against that image. For example, the following deletes images older than 30 days, while keeping all images tagged with prod (note that the order is important here):
Repository repository;
repository.addLifecycleRule(LifecycleRule.builder().tagPrefixList(List.of("prod")).maxImageCount(9999).build());
repository.addLifecycleRule(LifecycleRule.builder().maxImageAge(Duration.days(30)).build());
When using tagPatternList, an image is successfully matched if it matches
the wildcard filter.
Repository repository;
repository.addLifecycleRule(LifecycleRule.builder().tagPatternList(List.of("prod*")).maxImageCount(9999).build());
Repository deletion
When a repository is removed from a stack (or the stack is deleted), the ECR
repository will be removed according to its removal policy (which by default will
simply orphan the repository and leave it in your AWS account). If the removal
policy is set to RemovalPolicy.DESTROY, the repository will be deleted as long
as it does not contain any images.
To override this and force all images to get deleted during repository deletion,
enable the emptyOnDelete option as well as setting the removal policy to
RemovalPolicy.DESTROY.
Repository repository = Repository.Builder.create(this, "MyTempRepo")
.removalPolicy(RemovalPolicy.DESTROY)
.emptyOnDelete(true)
.build();
Managing the Resource Policy
You can add statements to the resource policy of the repository using the
addToResourcePolicy method. However, be advised that you must not include
a resources section in the PolicyStatement.
Repository repository;
repository.addToResourcePolicy(PolicyStatement.Builder.create()
.actions(List.of("ecr:GetDownloadUrlForLayer"))
// resources: ['*'], // not currently allowed!
.principals(List.of(new AnyPrincipal()))
.build());
Import existing repository
You can import an existing repository into your CDK app using the Repository.fromRepositoryArn, Repository.fromRepositoryName or Repository.fromLookup method.
These methods take the ARN or the name of the repository and returns an IRepository object.
// import using repository name
IRepository repositoryFromName = Repository.fromRepositoryName(this, "ImportedRepoByName", "my-repo-name");
// import using repository ARN
IRepository repositoryFromArn = Repository.fromRepositoryArn(this, "ImportedRepoByArn", "arn:aws:ecr:us-east-1:123456789012:repository/my-repo-name");
// import using repository lookup
// You have to provide either `repositoryArn` or `repositoryName` to lookup the repository
IRepository repositoryFromLookup = Repository.fromLookup(this, "ImportedRepoByLookup", RepositoryLookupOptions.builder()
.repositoryArn("arn:aws:ecr:us-east-1:123456789012:repository/my-repo-name")
.repositoryName("my-repo-name")
.build());
CloudWatch event rules
You can publish repository events to a CloudWatch event rule with onEvent:
import software.amazon.awscdk.services.lambda.*;
import software.amazon.awscdk.services.events.targets.LambdaFunction;
Repository repo = new Repository(this, "Repo");
Function lambdaHandler = Function.Builder.create(this, "LambdaFunction")
.runtime(Runtime.PYTHON_3_12)
.code(Code.fromInline("# dummy func"))
.handler("index.handler")
.build();
repo.onEvent("OnEventTargetLambda", OnEventOptions.builder()
.target(new LambdaFunction(lambdaHandler))
.build());
-
ClassDescriptionAuthorization token to access private ECR repositories in the current environment via Docker CLI.The
AWS::ECR::PublicRepositoryresource specifies an Amazon Elastic Container Registry Public (Amazon ECR Public) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.A fluent builder forCfnPublicRepository.The details about the repository that are publicly visible in the Amazon ECR Public Gallery.A builder forCfnPublicRepository.RepositoryCatalogDataPropertyAn implementation forCfnPublicRepository.RepositoryCatalogDataPropertyProperties for defining aCfnPublicRepository.A builder forCfnPublicRepositoryPropsAn implementation forCfnPublicRepositoryPropsTheAWS::ECR::PullThroughCacheRuleresource creates or updates a pull through cache rule.A fluent builder forCfnPullThroughCacheRule.Properties for defining aCfnPullThroughCacheRule.A builder forCfnPullThroughCacheRulePropsAn implementation forCfnPullThroughCacheRulePropsResource Type definition for AWS::ECR::PullTimeUpdateExclusion controls the exclusion configuration for ecr image pull time update.A fluent builder forCfnPullTimeUpdateExclusion.Properties for defining aCfnPullTimeUpdateExclusion.A builder forCfnPullTimeUpdateExclusionPropsAn implementation forCfnPullTimeUpdateExclusionPropsTheAWS::ECR::RegistryPolicyresource creates or updates the permissions policy for a private registry.A fluent builder forCfnRegistryPolicy.Properties for defining aCfnRegistryPolicy.A builder forCfnRegistryPolicyPropsAn implementation forCfnRegistryPolicyPropsThe scanning configuration for a private registry.A fluent builder forCfnRegistryScanningConfiguration.The filter settings used with image replication.An implementation forCfnRegistryScanningConfiguration.RepositoryFilterPropertyThe scanning rules associated with the registry.A builder forCfnRegistryScanningConfiguration.ScanningRulePropertyAn implementation forCfnRegistryScanningConfiguration.ScanningRulePropertyProperties for defining aCfnRegistryScanningConfiguration.A builder forCfnRegistryScanningConfigurationPropsAn implementation forCfnRegistryScanningConfigurationPropsTheAWS::ECR::ReplicationConfigurationresource creates or updates the replication configuration for a private registry.A fluent builder forCfnReplicationConfiguration.The replication configuration for a registry.An implementation forCfnReplicationConfiguration.ReplicationConfigurationPropertyAn array of objects representing the destination for a replication rule.An implementation forCfnReplicationConfiguration.ReplicationDestinationPropertyAn array of objects representing the replication destinations and repository filters for a replication configuration.A builder forCfnReplicationConfiguration.ReplicationRulePropertyAn implementation forCfnReplicationConfiguration.ReplicationRulePropertyThe filter settings used with image replication.A builder forCfnReplicationConfiguration.RepositoryFilterPropertyAn implementation forCfnReplicationConfiguration.RepositoryFilterPropertyProperties for defining aCfnReplicationConfiguration.A builder forCfnReplicationConfigurationPropsAn implementation forCfnReplicationConfigurationPropsTheAWS::ECR::Repositoryresource specifies an Amazon Elastic Container Registry (Amazon ECR) repository, where users can push and pull Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts.A fluent builder forCfnRepository.The encryption configuration for the repository.A builder forCfnRepository.EncryptionConfigurationPropertyAn implementation forCfnRepository.EncryptionConfigurationPropertyThe image scanning configuration for a repository.A builder forCfnRepository.ImageScanningConfigurationPropertyAn implementation forCfnRepository.ImageScanningConfigurationPropertyA filter that specifies which image tags should be excluded from the repository's image tag mutability setting.A builder forCfnRepository.ImageTagMutabilityExclusionFilterPropertyAn implementation forCfnRepository.ImageTagMutabilityExclusionFilterPropertyTheLifecyclePolicyproperty type specifies a lifecycle policy.A builder forCfnRepository.LifecyclePolicyPropertyAn implementation forCfnRepository.LifecyclePolicyPropertyThe details of the repository creation template associated with the request.A fluent builder forCfnRepositoryCreationTemplate.The encryption configuration for the repository.An implementation forCfnRepositoryCreationTemplate.EncryptionConfigurationPropertyA filter that specifies which image tags should be excluded from the repository's image tag mutability setting.An implementation forCfnRepositoryCreationTemplate.ImageTagMutabilityExclusionFilterPropertyProperties for defining aCfnRepositoryCreationTemplate.A builder forCfnRepositoryCreationTemplatePropsAn implementation forCfnRepositoryCreationTemplatePropsProperties for defining aCfnRepository.A builder forCfnRepositoryPropsAn implementation forCfnRepositoryPropsThe signing configuration for a registry, which specifies rules for automatically signing images when pushed.A fluent builder forCfnSigningConfiguration.A repository filter used to determine which repositories have their images automatically signed on push.A builder forCfnSigningConfiguration.RepositoryFilterPropertyAn implementation forCfnSigningConfiguration.RepositoryFilterPropertyA signing rule that specifies a signing profile and optional repository filters.A builder forCfnSigningConfiguration.RulePropertyAn implementation forCfnSigningConfiguration.RulePropertyProperties for defining aCfnSigningConfiguration.A builder forCfnSigningConfigurationPropsAn implementation forCfnSigningConfigurationPropsRepresents an image tag mutability exclusion filter for ECR repository.Represents an ECR repository.Internal default implementation forIRepository.A proxy class which represents a concrete javascript instance of this type.An ECR life cycle rule.A builder forLifecycleRuleAn implementation forLifecycleRuleOptions for the onCloudTrailImagePushed method.A builder forOnCloudTrailImagePushedOptionsAn implementation forOnCloudTrailImagePushedOptionsOptions for the OnImageScanCompleted method.A builder forOnImageScanCompletedOptionsAn implementation forOnImageScanCompletedOptionsAuthorization token to access the global public ECR Gallery via Docker CLI.Define an ECR repository.A fluent builder forRepository.Example:A builder forRepositoryAttributesAn implementation forRepositoryAttributesBase class for ECR repository.Indicates whether server-side encryption is enabled for the object, and whether that encryption is from the AWS Key Management Service (AWS KMS) or from Amazon S3 managed encryption (SSE-S3).Properties for looking up an existing Repository.A builder forRepositoryLookupOptionsAn implementation forRepositoryLookupOptionsExample:A builder forRepositoryPropsAn implementation forRepositoryPropsThe tag mutability setting for your repository.Select images based on tags.