Using Amazon ECS with Private Container Registries

May 26, 2016 in TIL using tags aws , ecs , docker , gitlab

I’m using Amazon ECS for some of my production Docker containers. I very recently started to use the GitLab Container Registry to privately host some images and do some fun automatic build things (it’s cool, like DockerHub Automated Builds but more flexible - check it out!).

To use this private repo with Docker on ECS you need to do some extra config…

If you’ve logged into the private registry in your local machine you’ll see the auth in ~/.docker/config.json.

# ecs.config
ECS_ENGINE_AUTH_TYPE=dockercfg
ECS_ENGINE_AUTH_DATA={"https://index.docker.io/v1/": {"auth": "token-hash-goes-here","email": "email@example.com"}, "registry.gitlab.com": {"auth": "another-token-hash"}}

In the above example I have shown configuration for both DockerHub and GitLab.com registries - other config paramaters are here.

The easiest way to automatically get this into your ECS environment is via EC2 User Data. Upload the file privately to S3, add an IAM policy to ECS cluster’s role to allow cluster EC2 machines access to this S3 bucket.

#!/bin/bash
yum install -y aws-cli
aws s3 cp s3://your-s3-bucket/ecs.config /etc/ecs/ecs.config
echo ECS_CLUSTER=your-cluster-name >> /etc/ecs/ecs.config

This can be used on ad-hoc instances or in Auto Scaling rules.

This is detailed on the AWS ECS Docs.