The ability to replicate container images between AWS ECR (Elastic Container Registry) accounts is a powerful tool for disaster recovery, streamlined multi-account management, and efficient cross-region deployments. Amazon ECR supports both cross-region and cross-account replication, making it easier to distribute and maintain your Docker images.
This guide will walk you through the step-by-step process of configuring AWS ECR replication between multiple accounts.
Pre-requisites
- AWS CLI installed and configured.
- AWS IAM roles with sufficient permissions. (e.g.,
AmazonEC2ContainerRegistryFullAccess). - Source and destination AWS accounts.
- Source and destination repositories in ECR.
Considerations Before Proceeding
- New Images Only: Only content pushed to a repository after configuring replication will be replicated. Existing images will not be automatically copied.
- IAM Role Creation: An IAM role with appropriate permissions will be created during the process.
- Destination Account Permissions: Registry permissions must be configured in the destination account to allow replication from the source.
- Policy Changes: Changing permission policies mid-replication might affect ongoing replications.
- Destination Limit: A private registry is limited to 25 unique destinations across all replication rules
Steps
Step 1: Enable Replication at the source Account
In the source AWS account, navigate to the Amazon ECR console. Under “Private registry settings,” enable cross-account replication.
Step 2: Configure Registry Permissions Policy in the Destination Account
In the destination AWS account, you need to grant permission for the source account to replicate images.
- Open the Amazon ECR console.
- Navigate to “Registry Permissions” and create a new permissions policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountReplication",
"Effect": "Allow",
"Principal": {
"AWS": "Source_Account_ID"
},
"Action": [
"ecr:ReplicateImage"
]
}
]
}Replace "Source_Account_ID" with the actual AWS account ID of the source account.
Step 3: Configure ECR Replication in Source Account
Go back to the source account to configure the ECR replication rule.
- Return to the Amazon ECR console in the source account.
- Under the desired registry, navigate to “Replication.
- “Create a new replication rule, specifying the destination region and account.
- (Optional) You can filter which repositories to replicate using a repository prefix.
You can also filter which repositories to replicate using a repository prefix.
aws ecr put-replication-configuration --region us-west-2 --replication-configuration file://replication-configuration.jsonStep 4: Test Replication
After setting up the replication, push a new Docker image to the source repository to verify that the image replicates to the destination account.
docker push <source_repo_url>:<tag>Monitor the replication status in the ECR console in the destination account. Successful replication usually takes less than 30 minutes.
Post-Configuration Actions
- Clean Up: Manually delete unnecessary replicated images and repositories.
- Additional Settings: Configure repository settings like tag immutability and image scanning in the destination account, as these are not replicated by default.
Conclusion
By following this guide, you’ve successfully configured cross-account ECR replication. This setup enhances your container workflow by enabling:
- Disaster Recovery: Maintain copies of your images in multiple regions for resilience.
- Multi-Account Management: Simplify image distribution and management across your AWS organization.
- Global Deployments: Easily replicate images to different regions for faster and more reliable deployments.