Blog

Accessing private Docker images from AWS Elastic Beanstalk

Posted at 9:56 pm on Mar 12, 2020

If you intend to use private docker images, you need to authenticate with the image registries to pull and push from your account.

Step 1: Create a dockercfg file

If you are using macOS, the newer versions of Docker have changed to store credentials in the macOS keychain rather than in a configuration file.

Here is an easy workaround to get the appropriate authentication file created on macOS.

First, add the following credentials, as environment variables, to a file named credentials.env:

DOCKER_USERNAME=--insert your user name--
DOCKER_PASSWORD=--insert your password--
DOCKER_REGISTRY=https://index.docker.io/v1/

Next, run the following Docker command, which will use an image maintained by codeship to process your credentials and create a standardized dockercfg file:

docker run -it --rm \
	--env-file=credentials.env \
	-v "$(pwd):/opt/data/" \
	-v "/var/run/docker.sock:/var/run/docker.sock" \
	codeship/dockercfg-generator /opt/data/dockercfg

This will generate dockercfg file in the same folder you ran the above docker command.

Step 2: Make this file compatible with AWS

As of this writing, the dockercfg file generated in the previous step is not compatible with AWS. AWS expects the dockercfg to be in the following format:

{
  "https://index.docker.io/v1/": {
    "auth": "__auth__"
  }
}

But the above file generated using codeship docker command is in the following format:

{
    "auths": {
        "https://index.docker.io/v1/": {
            "auth": "__auth__",
        }
    }
}

So, if your version of Docker generates this new format, just strip the auths line and its corresponding curly braces and you are good to go.

Step 3: Create S3 bucket and modify your Dockerrun.aws.json

As per AWS documentation, in order to use docker images from a private repository, add the information about the Amazon S3 bucket that contains the authentication file in the Authentication parameter of the Dockerrun.aws.json file. Make sure that the Authentication parameter contains a valid Amazon S3 bucket and key. Here is the link to AWS documentation – https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/single-container-docker-configuration.html#single-container-docker-configuration.privaterepo

{
	"AWSEBDockerrunVersion": "1",
	 "Authentication": {
    	     "Bucket": "my-bucket",
    	     "Key": "dockercfg"
         },
	"Image": {
		"Name": "johndoe/private-image",
		"Update": "true"
	},
	"Ports": [
		{
			"ContainerPort": "5000"
		}
	]
}

To do the above create a bucket and upload the file to this bucket. Make sure the bucket is NOT publicly accessible. We will use an IAM role to give EB (Elastic Beanstalk) access to this object in S3 bucket.

Elastic Beanstalk will create a role called “aws-elasticbeanstalk-ec2-role” to access Docker. Attach “AmazonS3ReadOnlyAccess” policy to this role, so that it’s able to access the S3 buckets.

Voila! You are all set to use your private Docker image with Elastic Beanstalk.

Leave a Reply