VOOZH about

URL: https://repost.aws/questions/QUU4vTb5XDS127j1LOIExacw/using-a-vanity-domain-for-ecr-images

⇱ Using a Vanity Domain for ECR Images | AWS re:Post


Skip to content

Using a Vanity Domain for ECR Images

0

See end section if the response is: "this has been asked before..."

My team wants to use a vanity domain to ease use of the private ECR registry for our AWS account. Engineers find it easier to use "company.com/helloworld:latest" rather than "1234567891234.dkr.ecr.us-east-2.amazonaws.com/helloworld:latest".

AWS does not appear to directly support customization so research has begun.

The problem is not resolvable by simply using a CNAME redirect; a proxy is required to pass information between the AWS ECR endpoint and a local user registry. A lambda function is used to handle redirecting header information and passing back tokens. There may be concern with that code, and I can provide as much as possible if called up for inspection. Given this works with Docker login and pull commands, just not push, I suspect this is some server side permissions issue.

Docker Login:

aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin company.com
Login Succeeded

Docker Pull: Pull appears to be working just fine which leads me to believe this is a permissions issue per repository or in the registry as a whole only when pushing.

docker pull company.com/alpine:latest
latest: Pulling from alpine
5a9a2fb70d56: Download complete
ee5e5806c15b: Download complete
Digest: sha256:4fcbb63933fcb228bd56dacec2070309978af25e9baf414caa6a8e47de312f1
Status: Downloaded newer image for company.com/alpine:latest
company.com/alpine:latest

Docker Push: This does not work when using push. A 403 Forbidden error is experienced. Would be nice to observe any additional details in the body of the response (if that is even provided by AWS).

docker push company.com/hello-world:latest
The push refers to repository [company.com/hello-world]
b012bd0df701: Waiting
1074252bbc0e: Waiting
unknown: unexpected status from HEAD request to https://prod-us-east-2-starport-layer-bucket.s3.us-east-2.amazonaws.com/<giant_string>: 403 Forbidden

This question is related to the following topics; however, I did not want to hijack an existing issue (which also has slight variances):

1 Answer
  • Newest
  • Most votes
  • Most comments
Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.
0
This recommendation was generated using AWS Generative AI capabilities. You are responsible for evaluating the recommendation in your specific context and implementing appropriate oversight and safeguards. Learn more
This answer has not been reviewed by an expert

To authenticate and push Docker images to Amazon ECR through a vanity domain, you need to ensure that the authentication token has the proper permissions for both pull and push operations.

Based on your description, the issue appears to be related to how the authorization token is being handled during push operations. When you use aws ecr get-login-password and pipe it to Docker login, you're obtaining an authorization token that's valid for 12 hours. This token's permission scope matches that of the IAM principal used to retrieve it.

For your vanity domain setup with a Lambda proxy, there are a few potential issues to check:

  1. The Lambda function might not be correctly passing the authorization headers or tokens during push operations, which involve different API calls than pull operations.

  2. The IAM permissions of the user/role generating the token might have pull permissions but not push permissions to the repository.

  3. The S3 bucket error you're seeing ("403 Forbidden" from the starport-layer-bucket) suggests that the proxy might not be correctly handling the multi-part upload process that occurs during image pushes.

When pushing an image to ECR, Docker communicates with multiple AWS services, including S3 for layer storage. Your proxy needs to handle all these communications correctly, including proper authentication for each service.

To troubleshoot:

  1. Verify that the IAM user/role has both push and pull permissions for the ECR repository.

  2. Check that your Lambda proxy correctly passes all headers and authentication tokens for both the ECR API and the S3 API calls.

  3. Consider implementing detailed logging in your Lambda function to see exactly what requests are being made during push operations and how they differ from pull operations.

  4. Test pushing directly to the AWS ECR endpoint to confirm that permissions are correctly configured.

The error specifically mentions the S3 starport-layer-bucket, which is part of ECR's backend storage. This suggests that while your authentication works for the ECR API itself, the proxy might not be correctly handling the subsequent S3 operations required for pushing image layers.
Sources
Private registry authentication in Amazon ECR - Amazon ECR
Pushing a multi-architecture image to an Amazon ECR private repository - Amazon ECR
Expanding container security and choice with Amazon ECR Public | Containers
Community | Run a java service serverless with ECS and Fargate
Moving an image through its lifecycle in Amazon ECR - Amazon ECR

answered 6 months ago