Skip to main content

AWS Container Registry

AWS Elastic Container Registry (ECR) integration allows your product to access and fetch container repositories, list container images, tags, and metadata stored in AWS ECR. This integration is commonly used for image inventory, vulnerability scanning, and container compliance across cloud workloads.

Credentials Needed

To integrate with AWS ECR, you need an IAM User or IAM Role with programmatic access and read-only permissions.

Required credentials:

  • AWS Access Key ID
  • AWS Secret Access Key
  • Region

If your integration runs within AWS (e.g., EC2, ECS, or Lambda), you can use an IAM Role instead of static credentials for improved security.

Permissions Needed

The integration requires read-only ECR permissions to list repositories and fetch image metadata.

Required IAM Actions

ServiceActionsPurpose
ECRecr:GetAuthorizationToken, ecr:DescribeRepositories, ecr:ListImages, ecr:DescribeImages, ecr:BatchGetImageRead repository and image metadata
STSsts:GetCallerIdentityVerify credentials (optional)

IAM Policy JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "STSCallerIdentity",
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Creating Users / IAM Role in AWS

Step 1: Create an IAM Policy

  1. Go to AWS Console → IAM → Policies → Create Policy.
  2. Select the JSON tab and paste the above policy.
  3. Click Review Policy, name it (e.g., ECRReadOnlyPolicy), and create it.

Step 2: Create an IAM User

  1. Go to IAM → Users → Add User.
  2. Enter a name (e.g., ECRIntegrationUser).
  3. Select Programmatic Access.
  4. Attach the policy ECRReadOnlyPolicy created above.
  5. Complete creation and copy the Access Key ID and Secret Access Key.

Alternatively, for integrations running inside AWS, create an IAM Role and attach the same policy to that role.

Test Connectivity

You can test ECR access using the AWS CLI:

# Authenticate to AWS using credentials
aws configure
# (Enter Access Key, Secret Key, Region)

# Get ECR Authorization Token
aws ecr get-login-password --region <REGION>

# List all ECR repositories
aws ecr describe-repositories --region <REGION>

# List images in a specific repository
aws ecr list-images --repository-name <REPOSITORY_NAME> --region <REGION>

# Get detailed image metadata
aws ecr describe-images --repository-name <REPOSITORY_NAME> --region <REGION>

If these commands return valid results, your credentials and permissions are properly configured.

Save the Results in the Platform and Create Connection

  1. In your platform's integration setup, securely store:
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • AWS_REGION
  2. Create a connection labeled AWS Container Registry (ECR) Integration.
  3. Test the connection by fetching ECR repositories and image metadata.

Best Practices

  • Use IAM Roles for in-cloud integrations to avoid storing static credentials.
  • Apply the principle of least privilege — only allow ECR read actions.
  • Rotate Access Keys regularly and use AWS Secrets Manager for secure credential storage.
  • Use regional ECR endpoints for optimized API performance.
  • Enable ECR Scan on Push to automatically scan images for vulnerabilities.
  • Monitor access logs through AWS CloudTrail for audit and compliance.
  • Use temporary credentials (STS) if your integration requires short-lived tokens.
  • Avoid AdministratorAccess or AmazonEC2ContainerRegistryFullAccess for read-only use cases.