CreatePullThroughCacheRule

Creates a pull through cache rule. A pull through cache rule provides a way to cache images from an upstream registry source in your Amazon ECR private registry. For more information, see Using pull through cache rules in the Amazon Elastic Container Registry User Guide.

Request Syntax

{
   "credentialArn": "string",
   "ecrRepositoryPrefix": "string",
   "registryId": "string",
   "upstreamRegistry": "string",
   "upstreamRegistryUrl": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

credentialArn

The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that identifies the credentials to authenticate to the upstream registry.

Type: String

Length Constraints: Minimum length of 50. Maximum length of 612.

Pattern: ^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$

Required: No

ecrRepositoryPrefix

The repository name prefix to use when caching images from the source registry.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 30.

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

Required: Yes

registryId

The AWS account ID associated with the registry to create the pull through cache rule for. If you do not specify a registry, the default registry is assumed.

Type: String

Pattern: [0-9]{12}

Required: No

upstreamRegistry

The name of the upstream registry.

Type: String

Valid Values: ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registry

Required: No

upstreamRegistryUrl

The registry URL of the upstream public registry to use as the source for the pull through cache rule. The following is the syntax to use for each supported upstream registry.

• Amazon ECR Public (ecr-public) - public.ecr.aws

• Docker Hub (docker-hub) - registry-1.docker.io

• Quay (quay) - quay.io

• Kubernetes (k8s) - registry.k8s.io

• GitHub Container Registry (github-container-registry) - ghcr.io

• Microsoft Azure Container Registry (azure-container-registry) - <custom>.azurecr.io

Type: String

Required: Yes

Response Syntax

{
   "createdAt": number,
   "credentialArn": "string",
   "ecrRepositoryPrefix": "string",
   "registryId": "string",
   "upstreamRegistry": "string",
   "upstreamRegistryUrl": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

createdAt

The date and time, in JavaScript date format, when the pull through cache rule was created.

Type: Timestamp

credentialArn

The Amazon Resource Name (ARN) of the AWS Secrets Manager secret associated with the pull through cache rule.

Type: String

Length Constraints: Minimum length of 50. Maximum length of 612.

Pattern: ^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$

ecrRepositoryPrefix

The Amazon ECR repository prefix associated with the pull through cache rule.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 30.

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

registryId

The registry ID associated with the request.

Type: String

Pattern: [0-9]{12}

upstreamRegistry

The name of the upstream registry associated with the pull through cache rule.

Type: String

Valid Values: ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registry

upstreamRegistryUrl

The upstream registry URL associated with the pull through cache rule.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

InvalidParameterException

The specified parameter is invalid. Review the available parameters for the API request.

HTTP Status Code: 400

LimitExceededException

The operation did not succeed because it would have exceeded a service limit for your account. For more information, see Amazon ECR service quotas in the Amazon Elastic Container Registry User Guide.

HTTP Status Code: 400

PullThroughCacheRuleAlreadyExistsException

A pull through cache rule with these settings already exists for the private registry.

HTTP Status Code: 400

SecretNotFoundException

The ARN of the secret specified in the pull through cache rule was not found. Update the pull through cache rule with a valid secret ARN and try again.

HTTP Status Code: 400

ServerException

These errors are usually caused by a server-side issue.

HTTP Status Code: 500

UnableToAccessSecretException

The secret is unable to be accessed. Verify the resource permissions for the secret and try again.

HTTP Status Code: 400

UnableToDecryptSecretValueException

The secret is accessible but is unable to be decrypted. Verify the resource permisisons and try again.

HTTP Status Code: 400

UnsupportedUpstreamRegistryException

The specified upstream registry isn't supported.

HTTP Status Code: 400

ValidationException

There was an exception validating this request.

HTTP Status Code: 400

Examples

In the following example or examples, the Authorization header contents (AUTHPARAMS) must be replaced with an AWS Signature Version 4 signature. For more information about creating these signatures, see Signature Version 4 Signing Process in the AWS General Reference.

You only need to learn how to sign HTTP requests if you intend to manually create them. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

Example

This example creates a pull through cache rule for Docker Hub in the default registry for an account.

Sample Request

POST / HTTP/1.1
Host: api.ecr.us-west-2.amazonaws.com
Accept-Encoding: identity
X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.CreatePullThroughCacheRule
Content-Type: application/x-amz-json-1.1
User-Agent: aws-cli/2.13.22 Python/3.11.5 Darwin/16.7.0 botocore/1.12.180
X-Amz-Date: 20231003T155747Z
Authorization: AUTHPARAMS
Content-Length: 268

{
   "ecrRepositoryPrefix":"docker_hub",
   "upstreamRegistryUrl":"registry-1.docker.io",
   "credentialArn":"arn:aws:secretsmanager:us-west-2:012345678910:secret:ECRPTCDockerHub-EXAMPLE"
}

Sample Response

HTTP/1.1 200 OK
x-amzn-RequestId: 123a4b56-7c89-01d2-3ef4-example5678f
Content-Type: application/x-amz-json-1.1
Content-Length: 180
Connection: keep-alive

{
    "ecrRepositoryPrefix": "docker_hub",
    "upstreamRegistryUrl": "registry-1.docker.io",
    "createdAt": "2023-10-03T15:57:48.411000+00:00",
    "registryId": "012345678910",
    "upstreamRegistry": "docker-hub",
    "credentialArn": "arn:aws:secretsmanager:us-west-2:012345678910:secret:ECRPTCDockerHub-EXAMPLE"
}

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go v2

• AWS SDK for Java V2

• AWS SDK for JavaScript V3

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3