Amazon Elastic Container Registry (ECR)

Storing container images in Amazon ECR.

The AWS container registry is a flavor provided with the ZenML aws integration and uses to store container images.

When to use it

You should use the AWS container registry if:

one or more components of your stack need to pull or push container images.
you have access to AWS ECR. If you're not using AWS, take a look at the other .

How to deploy it

Would you like to skip ahead and deploy a full ZenML cloud stack already, including an AWS ECR container registry? Check out the, the , or for a shortcut on how to deploy & register this stack component.

The ECR registry is automatically activated once you create an AWS account. However, you'll need to create a Repository in order to push container images to it:

Go to the .
Make sure the correct region is selected on the top right.
Click on Create repository.
Create a private repository. The name of the repository depends on the or you're using in your stack.

URI format

The AWS container registry URI should have the following format:

<ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com
# Examples:
123456789.dkr.ecr.eu-west-2.amazonaws.com
987654321.dkr.ecr.ap-south-1.amazonaws.com
135792468.dkr.ecr.af-south-1.amazonaws.com

To figure out the URI for your registry:

Once you have both these values, fill in the values in this template <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com to get your container registry URI.

How to use it

To use the AWS container registry, we need:

The ZenML aws integration installed. If you haven't done so, run
```
zenml integration install aws
```

We can then register the container registry and use it in our active stack:

zenml container-registry register <NAME> \
    --flavor=aws \
    --uri=<REGISTRY_URI>

# Add the container registry to the active stack
zenml stack update -c <NAME>

Authentication Methods

With the AWS CLI installed and set up with credentials, we'll need to log in to the container registry so Docker can pull and push images:

# Fill your REGISTRY_URI and REGION in the placeholders in the following command.
# You can find the REGION as part of your REGISTRY_URI: `<ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com`
aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <REGISTRY_URI>

If you don't already have an AWS Service Connector configured in your ZenML deployment, you can register one using the interactive CLI command. You have the option to configure an AWS Service Connector that can be used to access an ECR registry or even more than one type of AWS resource:

zenml service-connector register --type aws -i

zenml service-connector register <CONNECTOR_NAME> --type aws --resource-type docker-registry --auto-configure

Example Command Output

$ zenml service-connector register aws-us-east-1 --type aws --resource-type docker-registry --auto-configure
⠸ Registering service connector 'aws-us-east-1'...
Successfully registered service connector `aws-us-east-1` with access to the following resources:
┏━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃   RESOURCE TYPE    │ RESOURCE NAMES                               ┃
┠────────────────────┼──────────────────────────────────────────────┨
┃ 🐳 docker-registry │ 715803424590.dkr.ecr.us-east-1.amazonaws.com ┃
┗━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

If you already have one or more AWS Service Connectors configured in your ZenML deployment, you can check which of them can be used to access the ECR registry you want to use for your AWS Container Registry by running e.g.:

zenml service-connector list-resources --connector-type aws --resource-type docker-registry

Example Command Output

The following 'docker-registry' resources can be accessed by service connectors that you have configured:
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃             CONNECTOR ID             │ CONNECTOR NAME          │ CONNECTOR TYPE │ RESOURCE TYPE      │ RESOURCE NAMES                               ┃
┠──────────────────────────────────────┼─────────────────────────┼────────────────┼────────────────────┼──────────────────────────────────────────────┨
┃ 37c97fa0-fa47-4d55-9970-e2aa6e1b50cf │ aws-secret-key          │ 🔶 aws         │ 🐳 docker-registry │ 715803424590.dkr.ecr.us-east-1.amazonaws.com ┃
┠──────────────────────────────────────┼─────────────────────────┼────────────────┼────────────────────┼──────────────────────────────────────────────┨
┃ d400e0c6-a8e7-4b95-ab34-0359229c5d36 │ aws-us-east-1           │ 🔶 aws         │ 🐳 docker-registry │ 715803424590.dkr.ecr.us-east-1.amazonaws.com ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

After having set up or decided on an AWS Service Connector to use to connect to the target ECR registry, you can register the AWS Container Registry as follows:

# Register the AWS container registry and reference the target ECR registry URI
zenml container-registry register <CONTAINER_REGISTRY_NAME> -f aws \
    --uri=<REGISTRY_URL>

# Connect the AWS container registry to the target ECR registry via an AWS Service Connector
zenml container-registry connect <CONTAINER_REGISTRY_NAME> -i

A non-interactive version that connects the AWS Container Registry to a target ECR registry through an AWS Service Connector:

zenml container-registry connect <CONTAINER_REGISTRY_NAME> --connector <CONNECTOR_ID>

Example Command Output

$ zenml container-registry connect aws-us-east-1 --connector aws-us-east-1 
Successfully connected container registry `aws-us-east-1` to the following resources:
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃             CONNECTOR ID             │ CONNECTOR NAME │ CONNECTOR TYPE │ RESOURCE TYPE      │ RESOURCE NAMES                               ┃
┠──────────────────────────────────────┼────────────────┼────────────────┼────────────────────┼──────────────────────────────────────────────┨
┃ d400e0c6-a8e7-4b95-ab34-0359229c5d36 │ aws-us-east-1  │ 🔶 aws         │ 🐳 docker-registry │ 715803424590.dkr.ecr.us-east-1.amazonaws.com ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

As a final step, you can use the AWS Container Registry in a ZenML Stack:

# Register and set a stack with the new container registry
zenml stack register <STACK_NAME> -c <CONTAINER_REGISTRY_NAME> ... --set

zenml service-connector login <CONNECTOR_NAME> --resource-type docker-registry

Example Command Output

$ zenml service-connector login aws-us-east-1 --resource-type docker-registry
⠼ Attempting to configure local client using service connector 'aws-us-east-1'...
WARNING! Your password will be stored unencrypted in /home/stefan/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

The 'aws-us-east-1' Docker Service Connector connector was used to successfully configure the local Docker/OCI container registry client/SDK.

PreviousDockerHub NextGoogle Cloud Container Registry

Last updated 1 month ago

Was this helpful?