Skip to main content

AWS Container Registry

AWS Elastic Container Registry (ECR) integration allows your product to fetch container repository details, list container images, tags, and metadata stored in AWS ECR. This is useful for vulnerability scanning, asset inventory, and container compliance monitoring.

Credentials Needed

  • Access Key ID
  • Secret Access Key

These credentials should belong to an IAM User or IAM Role with read-only permissions to ECR. If your integration runs inside AWS (ECS, EC2, Lambda), prefer using an IAM Role instead of static keys.

IAM Permissions

The following read-only permissions are required to list repositories and retrieve container images:

ServiceActions
ECRecr:GetAuthorizationToken, ecr:DescribeRepositories, ecr:ListImages, ecr:BatchGetImage, ecr:DescribeImages

IAM Policy JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRReadOnly",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:BatchGetImage",
                "ecr:DescribeImages"
            ],
            "Resource": "*"
        }
    ]
}

Creating Users

  1. Go to AWS Console → IAM → Users → Add User
  2. Enter a name (e.g., ECRIntegrationUser)
  3. Select Programmatic Access
  4. Attach the above custom ECRReadOnlyPolicy
  5. Complete creation and copy the Access Key ID and Secret Access Key

Alternatively, if your integration runs in AWS, create an IAM Role and attach this policy instead.

Test Connectivity

Run the following commands to verify connectivity and access:

# Authenticate to ECR
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com

# List repositories
aws ecr describe-repositories --region us-east-1

# List images in a specific repository
aws ecr list-images --repository-name <repository_name> --region us-east-1

# Get image metadata
aws ecr describe-images --repository-name <repository_name> --region us-east-1

You should see repository and image details returned without permission errors.

Save the Results in the Platform and Create Connection

  1. Store credentials securely in your product configuration:
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • AWS_REGION
  2. Create a connector or integration entry for AWS Container Registry (ECR) in your platform.
  3. Test the integration by listing repositories and container images.

Best Practices

  • Use read-only permissions to ensure minimal access.
  • Prefer IAM Roles for AWS-hosted integrations over static credentials.
  • Limit scope to required regions or repositories if possible.
  • Rotate Access Keys regularly for security.
  • Use AWS Secrets Manager or your platform's encrypted vault for storing credentials.
  • Validate the connection periodically to detect credential expiry.