• Stars
    star
    140
  • Rank 261,473 (Top 6 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Public endpoint for AWS Elastic Container Registry

Public AWS Elastic Container Registry

Host any Elastic Container Registry (ECR) publicly on a custom domain using this serverless proxy.

Give it a spin:

# pull a container from a registry named nginx with no authentication
docker pull v3iomfy255.execute-api.us-east-2.amazonaws.com/nginx:alpine

Solution Overview

ECR doesn't support public registries. Instead, the docker client needs to authenticate with ECR using AWS IAM credentials which requires the AWS CLI or an SDK that can generate those credentials.

If you would like to make your registries publicly available then this solution can help. It deploys an API Gateway and a Lambda function that act as a proxy for AWS ECR. Custom authentication can easily be added in the API Gateway. Roll your own JWT-based authentication or whatever you desire. Additionally, you can configure the API Gateway to be private and thus limit access to docker clients within your VPC.

diagram

Deploy

launch

Download Template

Template Parameters

Parameter Required Description
DomainName No If provided an ACM Certificate and API Domain Name will be created
ValidationDomain No Overwrite default Validation Domain for ACM Certificate
ValidationMethod Yes, default to EMAIL Allow you to use DNS instead of EMAIL for Certificate validation
Authorizer No, defaults to NONE Valid values are NONE, BASIC, AZURE_DEVOPS or CUSTOM
AuthBasicUsername If Authorizer is BASIC Username for Basic authentication
AuthBasicPassword If Authorizer is BASIC Password for Basic authentication
AuthAzureDevOpsOrg If Authorizer is AZURE_DEVOPS Organization name in Azure Devops
AuthCustomLambdaArn If Authorizer is CUSTOM ARN of your custom Lambda authorizer

Authorizers

This template ships with support for Basic authentication, Azure Devops (using system or access token) and custom Lambda.

Azure DevOps Pipeline example:

# username must be ADO
steps:
- script: |
    echo $TOKEN | docker login --username ADO --password-stdin example.execute-api.us-east-2.amazonaws.com
    docker pull example.execute-api.us-east-2.amazonaws.com/nginx:latest
  env:
    TOKEN: $(System.AccessToken)

FAQ

How can I host this proxy on a custom domain?

Simply provide the DomainName parameter when you create the stack. This will create an ACM certificate and API Domain Name resource. The Regional Domain Name and Hosted Zone ID can be found in the outputs tab of the stack. You will need those to create the DNS record in Route 53 (or similar DNS service).

For Route 53, open your hosted zone, create a New Record Set, enter the domain name, set Alias to Yes and paste the RegionalDomainName in the Alias Target field.

How can I restrict access to certain registries?

By default all registries in the account and region will be made publicly available. To limit the number of publicly available repositores, attach a custom policy to the Lambda execution role (look for ${AWS::StackName}-LambdaRole-*). The following policy will restrict public access to the myapp repository (make sure you replace the variables with your region and account id).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage"
            ],
            "NotResource": [
                "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/myapp"
            ],
            "Effect": "Deny"
        }
    ]
}

Develop

npm install --global cfn-include
make build
make test  # create/update CloudFormation stack
make clean # delete CloudFormation stack

In the works

  • Cross-account and cross-region access to registries
  • Tag-based permissions
  • Implement additional endpoints for listing images and tags

More Repositories

1

cfn-include

Preprocessor for CloudFormation templates with support for loops and flexible include statements
JavaScript
85
star
2

node-pbac

Policy Based Access Control
JavaScript
49
star
3

p5-moosex-dbic

Moose result class for DBIx::Class
Perl
7
star
4

js-ext.ux.raphael

Raphaël extension for ExtJS
JavaScript
6
star
5

catalystx-extjs

Perl
5
star
6

p5-plack-middleware-assets

Concatenate and minify JavaScript and CSS files
Perl
5
star
7

p5-elasticsearch-model

Extensible and flexible model for ElasticSearch based on Moose
Perl
5
star
8

Devel-IntelliPerl

autocompletion for perl
Perl
5
star
9

html-formfu-extjs

JavaScript
4
star
10

aws4-proxy

Fast, low-footprint aws4 signing proxy with WebSocket support
TypeScript
4
star
11

p5-pod-browser

Pod::Browser - Browse PODs via an AJAX web app
Perl
4
star
12

Catalyst-Controller-POD

Catalyst::Controller::POD
JavaScript
4
star
13

DBIx-Class-PhoneticSearch

DBIx::Class::PhoneticSearch
Perl
3
star
14

p5-moosex-attribute-deflator

Deflates Moose attributes to a string
Perl
3
star
15

DBIx-Class-BitField

DBIx::Class::BitField
Perl
3
star
16

p5-pad

JavaScript
3
star
17

MyAppGrowls

Use Growl and Log::Dispatch
Perl
3
star
18

p5-moosex-attribute-dependent

Restrict attributes based on values of other attributes
Perl
3
star
19

p5-bash-completion-plugins-cpanm

Bash completion for cpanm and cpanf
Perl
2
star
20

lambda-ip-ranges-diff

JavaScript
2
star
21

p5-moosex-chainedaccessors

Accessor class for chained accessors with Moose
Perl
2
star
22

MooseX-Traits-Attribute-MergeHashRef

Merging HashRef attribute
Perl
2
star
23

node-splitly

Split a stream on a new-line character and reassemble it into line-sized chunks. Zero dependencies with a focus on speed and simplicity.
TypeScript
1
star
24

Crypt-SaltedHash

Release history of Crypt-SaltedHash
Perl
1
star
25

p5-catalystx-test-recorder

Generate tests from HTTP requests
Perl
1
star
26

p5-text-filter-uri

Perl
1
star
27

DBIx-Class-Graph

Store, retrieve and modify a Graph object
Perl
1
star
28

JSCocoaTouch

1
star
29

business-invoice

Framework for creating and rendering invoices
Perl
1
star
30

p5-test-file-content

Tests files for their content based on their file extension
Perl
1
star
31

p5-log-dispatch-prowl

Object for logging to the iPhone
Perl
1
star
32

p5-net-bayeux-client

Client for the Bayeux protocol
1
star
33

p5-catalystx-extjs-rest

Feature-rich REST controller for use with ExtJS
Perl
1
star
34

monken.github.com

JavaScript
1
star
35

Algorithm-PageRank-XS

Release history of Algorithm-PageRank-XS
C
1
star
36

business-invoice-processor-latex

LaTeX processor for Business::Invoice
Perl
1
star
37

p5-moosex-types-elasticsearch

Useful types for ElasticSearch
Perl
1
star
38

p5-catalystx-controller-extjs-rest-simpleexcel

Serialize to Excel spreadsheets
Perl
1
star
39

p5-catalyst-authentication-store-proxy

Delegates authentication logic to the user object
Perl
1
star
40

p5-catalystx-extjs-direct

Enable Ext.Direct in Catalyst controllers
Perl
1
star