amazon-ecr-credential-helper是一個方便使用aws ecr鏡像倉庫的工具,只需下載源碼編譯出 binary,再添加配置文件,即可隨時使用docker pull/push功能,不需要在每隔 12h 都要執行aws ecr get-login --no-include-email --region cn-northwest-1|sh刷新 credentials token 才能執行docker push/pull到aws ecr.
amazon-ecr-credential-helper在每次執行docker pull/push命令的時候都會通過鏡像url自動獲取account_id等信息,并獲取最新token信息在緩存中使用,相比使用docker login的方式要安全。
-
Prerequisite
You also must have AWS credentials available in one of the standard locations:
- The
~/.aws/credentialsfile- The
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables- An IAM role for Amazon EC2
- If you are working with an assumed role please set the environment variable:
AWS_SDK_LOAD_CONFIG=truealso.
PS:設置可參考 AWS ECR 使用指南
-
Installing
下載 amazon-ecr-credential-helper 源碼
[root@aws-172-20-20-101 aws]# git clone https://github.com/awslabs/amazon-ecr-credential-helper.git
正克隆到 'amazon-ecr-credential-helper'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 1811 (delta 4), reused 13 (delta 2), pack-reused 1789
接收對象中: 100% (1811/1811), 1.62 MiB | 32.00 KiB/s, done.
處理 delta 中: 100% (790/790), done.
執行 make docker編譯出 binary
[root@aws-172-20-20-101 aws]# cd amazon-ecr-credential-helper/
[root@aws-172-20-20-101 amazon-ecr-credential-helper]# ls
buildspec.yml CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md Dockerfile docs ecr-login LICENSE Makefile NOTICE README.md scripts THIRD-PARTY-LICENSES VERSION
[root@aws-172-20-20-101 amazon-ecr-credential-helper]# make docker
mkdir -p bin
docker run --rm \
-e TARGET_GOOS= \
-e TARGET_GOARCH= \
-v '/root/workspace/packages/aws/amazon-ecr-credential-helper/bin':/go/src/github.com/awslabs/amazon-ecr-credential-helper/bin \
sha256:4da3e3c12e7b4d30e19430c4039266e072254cc6a1b0eec199c13473d0a9a8c0
git rev-parse --short=7 HEAD > GITCOMMIT_SHA
. ./scripts/shared_env && ./scripts/build_binary.sh ./bin/local 0.3.0 cb0befd
Built ecr-login
[root@aws-172-20-20-101 amazon-ecr-credential-helper]# cd bin/local/
[root@aws-172-20-20-101 local]# ls
docker-credential-ecr-login
將 docker-credential-ecr-login 復制到 $PAHT 路徑下
[root@aws-172-20-20-101 local]# cp docker-credential-ecr-login /usr/local/bin/
[root@aws-172-20-20-101 local]# ls /usr/local/bin/
docker-credential-ecr-login
-
Configuration
設置配置文件
若只使用 ~/.aws/credentials中設置的賬戶下的 ecr-registry ,則編輯~/.docker/config.json如下即可,不過 pull 其他 registry 的鏡像時會有報錯
[root@aws-172-20-20-101 local]# cat ~/.docker/config.json
{
"credsStore": "ecr-login"
}
建議將 ~/.docker/config.json設置為指定 registry的配置,替換 $account_id & $region
[root@aws-172-20-20-101 local]# cat ~/.docker/config.json
{
"credHelpers": {
"xxxxx0252.dkr.ecr.xxxxxx.amazonaws.com.cn": "ecr-login"
}
}
-
Usage
[root@aws-172-20-20-101 local]# docker pull xxxxxx.dkr.ecr.xxxxxx.amazonaws.com.cn/k8s-mirror:kube-proxy-amd64-v1.13.7
kube-proxy-amd64-v1.13.7: Pulling from k8s-mirror
Digest: sha256:0a52386e8929ef4bc8080e31135b7b92eeeac5dc5c921fddd3f6cada7a839fb1
Status: Image is up to date for xxxxxx.dkr.ecr.xxxxx.amazonaws.com.cn/k8s-mirror:kube-proxy-amd64-v1.13.7
