Amazon ECR Construct Library
This package contains constructs for working with Amazon Elastic Container Registry.
Repositories
Define a repository by creating a new instance of Repository
. A repository
holds multiple versions of a single container image.
repository = ecr.Repository(self, "Repository")
Image scanning
Amazon ECR image scanning helps in identifying software vulnerabilities in your container images.
You can manually scan container images stored in Amazon ECR, or you can configure your repositories
to scan images when you push them to a repository. To create a new repository to scan on push, simply
enable imageScanOnPush
in the properties.
repository = ecr.Repository(self, "Repo",
image_scan_on_push=True
)
To create an onImageScanCompleted
event rule and trigger the event target
# repository: ecr.Repository
# target: SomeTarget
repository.on_image_scan_completed("ImageScanComplete").add_target(target)
Other Grantee
grantPush
The grantPush method grants the specified IAM entity (the grantee) permission to push images to the ECR repository. Specifically, it grants permissions for the following actions:
‘ecr:CompleteLayerUpload’
‘ecr:UploadLayerPart’
‘ecr:InitiateLayerUpload’
‘ecr:BatchCheckLayerAvailability’
‘ecr:PutImage’
‘ecr:GetAuthorizationToken’
Here is an example of granting a user push permissions:
# repository: ecr.Repository
role = iam.Role(self, "Role",
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com")
)
repository.grant_push(role)
grantPull
The grantPull method grants the specified IAM entity (the grantee) permission to pull images from the ECR repository. Specifically, it grants permissions for the following actions:
‘ecr:BatchCheckLayerAvailability’
‘ecr:GetDownloadUrlForLayer’
‘ecr:BatchGetImage’
‘ecr:GetAuthorizationToken’
# repository: ecr.Repository
role = iam.Role(self, "Role",
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com")
)
repository.grant_pull(role)
grantPullPush
The grantPullPush method grants the specified IAM entity (the grantee) permission to both pull and push images from/to the ECR repository. Specifically, it grants permissions for all the actions required for pull and push permissions.
Here is an example of granting a user both pull and push permissions:
# repository: ecr.Repository
role = iam.Role(self, "Role",
assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com")
)
repository.grant_pull_push(role)
By using these methods, you can grant specific operational permissions on the ECR repository to IAM entities. This allows for proper management of access to the repository and ensures security.
Image tag immutability
You can set tag immutability on images in our repository using the imageTagMutability
construct prop.
ecr.Repository(self, "Repo", image_tag_mutability=ecr.TagMutability.IMMUTABLE)
Encryption
By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts your data at rest using an AES-256 encryption algorithm. For more control over the encryption for your Amazon ECR repositories, you can use server-side encryption with KMS keys stored in AWS Key Management Service (AWS KMS). Read more about this feature in the ECR Developer Guide.
When you use AWS KMS to encrypt your data, you can either use the default AWS managed key, which is managed by Amazon ECR, by specifying RepositoryEncryption.KMS
in the encryption
property. Or specify your own customer managed KMS key, by specifying the encryptionKey
property.
When encryptionKey
is set, the encryption
property must be KMS
or empty.
In the case encryption
is set to KMS
but no encryptionKey
is set, an AWS managed KMS key is used.
ecr.Repository(self, "Repo",
encryption=ecr.RepositoryEncryption.KMS
)
Otherwise, a customer-managed KMS key is used if encryptionKey
was set and encryption
was optionally set to KMS
.
import aws_cdk.aws_kms as kms
ecr.Repository(self, "Repo",
encryption_key=kms.Key(self, "Key")
)
Automatically clean up repositories
You can set life cycle rules to automatically clean up old images from your repository. The first life cycle rule that matches an image will be applied against that image. For example, the following deletes images older than 30 days, while keeping all images tagged with prod (note that the order is important here):
# repository: ecr.Repository
repository.add_lifecycle_rule(tag_prefix_list=["prod"], max_image_count=9999)
repository.add_lifecycle_rule(max_image_age=Duration.days(30))
When using tagPatternList
, an image is successfully matched if it matches
the wildcard filter.
# repository: ecr.Repository
repository.add_lifecycle_rule(tag_pattern_list=["prod*"], max_image_count=9999)
Repository deletion
When a repository is removed from a stack (or the stack is deleted), the ECR
repository will be removed according to its removal policy (which by default will
simply orphan the repository and leave it in your AWS account). If the removal
policy is set to RemovalPolicy.DESTROY
, the repository will be deleted as long
as it does not contain any images.
To override this and force all images to get deleted during repository deletion,
enable the emptyOnDelete
option as well as setting the removal policy to
RemovalPolicy.DESTROY
.
repository = ecr.Repository(self, "MyTempRepo",
removal_policy=RemovalPolicy.DESTROY,
empty_on_delete=True
)
Managing the Resource Policy
You can add statements to the resource policy of the repository using the
addToResourcePolicy
method. However, be advised that you must not include
a resources
section in the PolicyStatement
.
# repository: ecr.Repository
repository.add_to_resource_policy(iam.PolicyStatement(
actions=["ecr:GetDownloadUrlForLayer"],
# resources: ['*'], // not currently allowed!
principals=[iam.AnyPrincipal()]
))
CloudWatch event rules
You can publish repository events to a CloudWatch event rule with onEvent
:
import aws_cdk.aws_lambda as lambda_
from aws_cdk.aws_events_targets import LambdaFunction
repo = ecr.Repository(self, "Repo")
lambda_handler = lambda_.Function(self, "LambdaFunction",
runtime=lambda_.Runtime.PYTHON_3_12,
code=lambda_.Code.from_inline("# dummy func"),
handler="index.handler"
)
repo.on_event("OnEventTargetLambda",
target=LambdaFunction(lambda_handler)
)