Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS ECR Repository - How to copy images from one account and push to another account

I have two accounts - Account A and Account B. In account A, I have a policy with a user from account B can interact with Account A. I have a repository in both accounts. Account B doesn't have a policy set ( Not sure if I need a policy for Account A to interact with it).

My question is how do I push ecr images from Account A into Account B. I would like a copy of Account A image into Account B. Is this possible.

like image 611
Paris Avatar asked Jul 10 '20 18:07

Paris


People also ask

How do I push an image to AWS ECR repository?

To push a Docker image to an Amazon ECR repositoryAuthenticate your Docker client to the Amazon ECR registry to which you intend to push your image. Authentication tokens must be obtained for each registry used, and the tokens are valid for 12 hours. For more information, see Private registry authentication.

How do I copy a Docker image from one repo to another?

In order to transfer a Docker image from one server to another, what you need to do is first export the image to a file, then copy that file over from your current server to the new one using scp or rsync and finally load the image to your new server.


2 Answers

This is not a currently supported feature of ECR so you would need to perform the following steps to migrate from one account to another:

  • aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com - Run this for the source account
  • docker pull $SOURCE_IMAGE:$VERSION - Pull the latest tag down to your local
  • docker tag $SOURCE_IMAGE:$VERSION $TARGET_IMAGE:$VERSION - Tag a new image based on the original source image
  • aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region>.amazonaws.com - Run this for the target account
  • docker push $TARGET_IMAGE:$VERSION - Push the docker image upto the target ECR account.
like image 112
Chris Williams Avatar answered Sep 19 '22 17:09

Chris Williams


If you want to move all repositry from particularly region to another account (Destination account) then use below script.

  • It will list all repo from Account A
  • Pull an image from an account A one by one
  • Create Repo in Account B
  • Tag image
  • push image to account B
#!/bin/bash
TARGET_ACCOUNT_REGION="us-west-2"
DESTINATION_ACCOUNT_REGION="us-west-2"
DESTINATION_ACCOUNT_BASE_PATH="123456.dkr.ecr.$DESTINATION_ACCOUNT_REGION.amazonaws.com/"


REPO_LIST=($(aws ecr describe-repositories --query 'repositories[].repositoryUri' --output text --region $TARGET_ACCOUNT_REGION))
REPO_NAME=($(aws ecr describe-repositories --query 'repositories[].repositoryName' --output text --region $TARGET_ACCOUNT_REGION))


for repo_url in ${!REPO_LIST[@]}; do
        echo "star pulling image ${REPO_LIST[$repo_url]} from Target account"
        docker pull ${REPO_LIST[$repo_url]}


        # Create repo in destination account, remove this line if already created
        aws ecr create-repository --repository-name ${REPO_NAME[$repo_url]}
        docker tag   ${REPO_LIST[$repo_url]} $DESTINATION_ACCOUNT_BASE_PATH/${REPO_NAME[$repo_url]} 
        docker push $DESTINATION_ACCOUNT_BASE_PATH/${REPO_NAME[$repo_url]} 
done

Make sure you already obtain login token for both account or add these command in the script.

        aws ecr get-login-password --region $TARGET_ACCOUNT_REGION | docker login --username AWS --password-stdin ${REPO_LIST[$repo_url]}
        # destination account login, make sure profile set for accoutn destination
        aws ecr get-login-password --region $DESTINATION_ACCOUNT_REGION --profile destination_account | docker login --username AWS --password-stdin ${REPO_LIST[$repo_url]}

aws-cli-cheatsheet

Or you can use one of them

  • AWS cross-region replication
  • Cross account replication

Cron account replication

Amazon ECR uses registry settings to configure features at the registry level. The private registry settings are configured separately for each Region. Currently, the only registry setting is the replication setting, which is used to configure cross-Region and cross-account replication of the images in your repositories

like image 41
Adiii Avatar answered Sep 16 '22 17:09

Adiii