amazon-ecr-credential-helper是一个方便使用aws ecr镜像仓库的工具,只需下载源码编译出 binary,再添加配置文件,即可随时使用docker pull/push功能,不需要在每隔 12h 都要执行aws ecr get-login --no-include-email --region cn-northwest-1|sh刷新 credentials token 才能执行docker push/pull到aws ecr.
amazon-ecr-credential-helper在每次执行docker pull/push命令的时候都会通过镜像url自动获取account_id等信息,并获取最新token信息在缓存中使用,相比使用docker login的方式要安全。
-
Prerequisite
You also must have AWS credentials available in one of the standard locations:
- The
~/.aws/credentialsfile- The
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables- An IAM role for Amazon EC2
- If you are working with an assumed role please set the environment variable:
AWS_SDK_LOAD_CONFIG=truealso.
PS:设置可参考 AWS ECR 使用指南
-
Installing
下载 amazon-ecr-credential-helper 源码
[root@aws-172-20-20-101 aws]# git clone https://github.com/awslabs/amazon-ecr-credential-helper.git
正克隆到 'amazon-ecr-credential-helper'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 1811 (delta 4), reused 13 (delta 2), pack-reused 1789
接收对象中: 100% (1811/1811), 1.62 MiB | 32.00 KiB/s, done.
处理 delta 中: 100% (790/790), done.
执行 make docker编译出 binary
[root@aws-172-20-20-101 aws]# cd amazon-ecr-credential-helper/
[root@aws-172-20-20-101 amazon-ecr-credential-helper]# ls
buildspec.yml CHANGELOG.md CODE_OF_CONDUCT.md CONTRIBUTING.md Dockerfile docs ecr-login LICENSE Makefile NOTICE README.md scripts THIRD-PARTY-LICENSES VERSION
[root@aws-172-20-20-101 amazon-ecr-credential-helper]# make docker
mkdir -p bin
docker run --rm \
-e TARGET_GOOS= \
-e TARGET_GOARCH= \
-v '/root/workspace/packages/aws/amazon-ecr-credential-helper/bin':/go/src/github.com/awslabs/amazon-ecr-credential-helper/bin \
sha256:4da3e3c12e7b4d30e19430c4039266e072254cc6a1b0eec199c13473d0a9a8c0
git rev-parse --short=7 HEAD > GITCOMMIT_SHA
. ./scripts/shared_env && ./scripts/build_binary.sh ./bin/local 0.3.0 cb0befd
Built ecr-login
[root@aws-172-20-20-101 amazon-ecr-credential-helper]# cd bin/local/
[root@aws-172-20-20-101 local]# ls
docker-credential-ecr-login
将 docker-credential-ecr-login 复制到 $PAHT 路径下
[root@aws-172-20-20-101 local]# cp docker-credential-ecr-login /usr/local/bin/
[root@aws-172-20-20-101 local]# ls /usr/local/bin/
docker-credential-ecr-login
-
Configuration
设置配置文件
若只使用 ~/.aws/credentials中设置的账户下的 ecr-registry ,则编辑~/.docker/config.json如下即可,不过 pull 其他 registry 的镜像时会有报错
[root@aws-172-20-20-101 local]# cat ~/.docker/config.json
{
"credsStore": "ecr-login"
}
建议将 ~/.docker/config.json设置为指定 registry的配置,替换 $account_id & $region
[root@aws-172-20-20-101 local]# cat ~/.docker/config.json
{
"credHelpers": {
"xxxxx0252.dkr.ecr.xxxxxx.amazonaws.com.cn": "ecr-login"
}
}
-
Usage
[root@aws-172-20-20-101 local]# docker pull xxxxxx.dkr.ecr.xxxxxx.amazonaws.com.cn/k8s-mirror:kube-proxy-amd64-v1.13.7
kube-proxy-amd64-v1.13.7: Pulling from k8s-mirror
Digest: sha256:0a52386e8929ef4bc8080e31135b7b92eeeac5dc5c921fddd3f6cada7a839fb1
Status: Image is up to date for xxxxxx.dkr.ecr.xxxxx.amazonaws.com.cn/k8s-mirror:kube-proxy-amd64-v1.13.7
网友评论