Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authenticate with AWS ECR without aws cli

The canonical way I've seen to authenticate with an ECR repo (for docker) is to use the aws ecr get-login-password command https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry_auth.html#registry-auth-token

I am in an environment where I'm unable to install the aws cli command. Does anyone know of a way to generate this password through an API (like HTTP or SDK)? I assume that since it's done via the AWS CLI, there's an API behind it. However I seem to unable to find any guide or documentation for this.

like image 223
Tri Nguyen Avatar asked Jul 03 '26 02:07

Tri Nguyen


1 Answers

Almost every Amazon document points us to using the CLI or an SDK, however it is possible to make it work with just API calls.

There are two main challenges to making direct API calls:

  1. Signing AWS API requests

    As of curl 7.75.0 we have the --aws-sigv4 option to handle this nicely.

    It requires a region and service code, as well as a value for the --user arg, where the region and service code need to match the API url, while the values for user depend on your authentication method.

    Example: curl --url 'https://api.ecr.us-east-1.amazonaws.com' --aws-sigv4 "aws:amz:us-east-1:ecr" --user "<user>:<pass>"

    ECR public and private endpoints are well documented.

  2. The ECR API docs lack some details

  • All operations seem to be POST
  • All requests require at least an empty json object {}
  • The Action is passed in the special header 'x-amz-target: SpencerFrontendService.<Action>
  • Use Content-Type: application/x-amz-json-1.1
like image 90
Slacker_CA Avatar answered Jul 04 '26 17:07

Slacker_CA



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!