Wednesday, May 20, 2020

How to setup Elastic Container Registry (ECR) for Docker on AWS | How to Create a Repo in ECR for Hosting Docker images | How to Push Docker image into Amazon ECR

Amazon Elastic Container Registry (ECR) is a fully managed container registry service provided by Amazon Web Services (AWS). It allows users to store, manage, and deploy Docker container images. Amazon ECR uses Amazon S3 for storage to make your container images highly available and accessible, allowing you to reliably deploy new containers for your applications. We will learn how to create ECR in AWS, will create a docker image and upload docker image into ECR.

What are we going to do in this lab?
1. Create a Repository in AWS ECR
2. Create an IAM role with ContainerRegistryFullAccess
3. Attach the IAM role to EC2 instance
4. Download pythonApp from Bitbucket
5. Build docker image for the Python App
6. Tag docker image
7. Login to AWS ECR using aws cli 
8. Push docker image into ECR
9. Run python app in Docker container

Create a repo in ECR 

Go to AWS console and search for ECR

Click on Create Repository

Enter name for your repo - all lower case and Click create repository

Once repo is created, choose the repo and click on view push commands. Note down the account ID

Note the URL from step # 3 below, this will be used for tagging and pushing docker images into ECR.

That's it, you have created repo successfully. Let us create docker images and push it to above repo in ECR.

Create an IAM role
You need to create an IAM role with AmazonEC2ContainerRegistryFullAccess policy.
Go to AWS console, IAM, click on Roles. create a role

Select AWS services, Click EC2, Click on Next permissions.
 Now search for AmazonEC2ContainerRegistryFullAccess policy and click

Skip on create tag.
Now give a role name and create it.

You need to assign the role to EC2 instance you have installed docker.

Go to AWS console, click on EC2, select EC2 instance, Go to Actions --> Security--> Modify IAM role.

Choose the role you have created from the dropdown.
Select the role and click on Apply.

Now Login to EC2 instance where you have installed Docker. You must be able to connect to AWS ECR through AWS CLI which can be installed by

sudo apt update && sudo apt install awscli -y

Once AWS CLI is installed, you can verify the installation:
aws --version
Now you can login to AWS ECR using CLI:
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin

Where your_acct_id is from AWS ECR in the above picture.

You must get a message says Login succeeded. Now let's build a docker image, I have already created a public repo in Bitbucket. All you need to do is perform the below command to clone my repo:

git clone; cd mydockerrepo/pythonApp

docker build . -t mypythonapp

the above command will build a docker image.


Now tag Docker image you had build
docker tag mypythonapp:latest

You can view the image you had built.

docker push
Now you should be able to login to ECR and see the images already uploaded.


How to run a Docker container from Docker image?

sudo docker run -p 8081:5000 -d --rm --name myfirstApp1

where -d is for running with detached mode.

Access the application from the browser
Access the container using browser by using public_dns_name 

How to run another Docker container from Docker image?

sudo docker run -p 8085:5000 -d --rm --name myfirstApp2

make sure you open port 8085 in AWS security firewall rule.
where -d is for running with detached mode.

 Note: You can also create a repo through CLI command in AWS ECR.
aws ecr create-repository --repository-name myawesome-repo --region us-east-1

You can watch the steps on YouTube as well:


  1. Going for a free assistance isn't pretty much as great as it might appear, since it may amazingly be confined. In any event, going for a costly help in case you are simply beginning with sites is recommendable all things considered.

  2. docker push is keeps timing out even after logging and we have the policy also.
    The client is the vm with in the same subnet and it has the role which contains the ACRfullaccess.