Understanding ECR

Before we get started creating and configuring ECR repositories, it is important to provide a brief introduction to the core concepts of ECR.

ECR is a fully-managed private Docker registry provided by AWS and offers tight integration with ECS and other AWS services. ECR consists of a number of components, as shown in the following diagram:

The core components of ECR include:

• Repositories: A repository stores all versions of images for a given Docker image. Each repository is configured with a name and URI, which is unique to your AWS account and region.
• Permissions: Each repository includes permissions that allow you to grant access for various ECR operations, such as pushing or pulling Docker images.
• Lifecycle policy: Each repository can be configured with an optional lifecycle policy, which can be used to clean up orphaned Docker images that have been superseded by newer versions, or remove older Docker images that you may no longer use.
• Authentication service: ECR includes an authentication service that includes a token service that can be used to authenticate your IAM credentials in exchange for a temporary authentication token compatible with the Docker client authentication process.

It's also important to consider the consumers of ECR. As shown in the previous diagram, these include:

• Docker clients in the same local AWS account as your repositories: This would most commonly include ECS container instances running in ECS clusters.
• Docker clients in a different AWS account from your repositories: This is a common scenario for larger organizations, and again would typically include ECS container instances running in ECS clusters in remote accounts.
• Docker clients used by AWS services: Some AWS services can utilize your own Docker images published in ECR, such as the AWS CodeBuild service.