ConfigurationRegistriesECR
ECR (Amazon Elastic Container Registry)
The ecr registry lets you configure ECR integration.
The ecr registry lets you configure ECR integration.
Variables
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
DD_REGISTRY_ECR_{REGISTRY_NAME}_ACCESSKEYID | ⚪ | A valid AWS Access Key Id (required for private images) | Standard AWS Credentials | |
DD_REGISTRY_ECR_{REGISTRY_NAME}_SECRETACCESSKEY | ⚪ | A valid AWS Secret Access Key (required for private images) | Standard AWS Credentials | |
DD_REGISTRY_ECR_{REGISTRY_NAME}_REGION | ⚪ | A valid AWS Region Code (required for private images) | AWS Region list |
The AmazonEC2ContainerRegistryReadOnly Policy (or higher) must be attached to the AWS IAM User.
Auth token caching
ECR authorization tokens are valid for 12 hours. drydock caches the token per instance and refreshes it within 5 minutes of expiry, eliminating redundant GetAuthorizationToken calls on every container watch cycle. The cache write is race-safe: if credentials rotate between two concurrent token fetches, the stale result is discarded rather than overwriting the fresh token.
Examples
services:
drydock:
image: codeswhat/drydock
...
environment:
- DD_REGISTRY_ECR_PRIVATE_ACCESSKEYID=xxx
- DD_REGISTRY_ECR_PRIVATE_SECRETACCESSKEY=xxx
- DD_REGISTRY_ECR_PRIVATE_REGION=eu-west-1 docker run \
-e DD_REGISTRY_ECR_PRIVATE_ACCESSKEYID="xxx" \
-e DD_REGISTRY_ECR_PRIVATE_SECRETACCESSKEY="xxx" \
-e DD_REGISTRY_ECR_PRIVATE_REGION="eu-west-1" \
...
codeswhat/drydockHow to create an AWS IAM user and get programmatic access
1. Login to your Go to the IAM Service from your AWS Console and create a new user
2. Attach the AmazonEC2ContainerRegistryReadOnly policy to the user
3. Get your AccessKeyId and your Secret Access Key and configure drydock with them
