Setup ECR & IAM Role

In this step, we prepare the AWS infrastructure required to store our container images. This involves verifying the initial state, creating a necessary IAM Role for ECR replication, and provisioning the repository.

1. Verify ECR State

First, verify the current state of the Private Registry. Initially, there are no repositories created.

Check Empty ECR

2. Create IAM Role for ECR

We need to create a Service-Linked Role that allows Amazon ECR to perform replication actions across regions and accounts.

  1. Navigate to IAM > Roles > Create role.
  2. Select trusted entity: Choose AWS service.
  3. Service or use case: Select Elastic Container Registry from the list.

Select Trusted Entity

  1. Use case: Select Elastic Container Registry - Replication to allow ECR to replicate images.

Select Use Case

  1. Add permissions: Confirm that the ECRReplicationServiceRolePolicy is attached. This managed policy grants the necessary permissions.

Verify Permissions

  1. Name, review, and create:
    • The role name is automatically set to AWSServiceRoleForECRReplication.
    • Review the configuration and create the role.

Review Role

  1. Result: The role is successfully created and listed in the IAM Roles dashboard.

IAM Role Created

3. Create ECR Repository

Now we create the repository to store the frontend image.

  1. Navigate to Amazon ECR > Create repository.
  2. General settings:
    • Repository name: band-up-frontend.
    • Visibility settings: Private.
  3. Image tag settings: Keep Mutable enabled to allow overwriting image tags.

Create Repository Settings

  1. Result: The band-up-frontend repository is successfully created with AES-256 encryption enabled by default.

Repository Created

4. Configure CLI Access

To push images from your local machine, you need programmatic access via the AWS CLI. We will generate an Access Key for your IAM User.

  1. Navigate to IAM Dashboard > Users > Select your user (e.g., NamDang).
  2. Open the Security credentials tab and click Create access key.
  3. Use case: Select Command Line Interface (CLI).
  4. Description tag: Enter a meaningful description (e.g., ECR Push Key) and click Create access key.
  5. Retrieve Keys: Important! Copy or download the Access Key ID and Secret Access Key immediately, as you cannot retrieve the Secret Key later.

Create Access Key Step 1 Select CLI Use Case Retrieve Access Keys

5. Configure AWS CLI

Open your terminal and configure the AWS CLI with the credentials you just generated.

aws configure

Enter the following details when prompted:

  • AWS Access Key ID: [Paste your key]
  • AWS Secret Access Key: [Paste your secret]
  • Default region name: ap-southeast-1
  • Default output format: json

AWS CLI Configure

6. Push Image to ECR

Now that the CLI is configured, we can authenticate Docker and push our image.

Step 1: Login to ECR Run the login command to authenticate your Docker client with the AWS registry.

aws ecr get-login-password --region ap-southeast-1 | docker login --username AWS --password-stdin [Account-ID]https://www.google.com/search?q=.dkr.ecr.ap-southeast-1.amazonaws.com

Output: Login Succeeded

CLI Login Success

Step 2: Tag the Image We need to tag our local image band-up-frontend:latest with the full ECR repository URI and a version tag (e.g., v1.0.0).

docker tag band-up-frontend:latest [Account-ID].dkr.ecr.ap-southeast-1.amazonaws.com/band-up-frontend:v1.0.0

Tag Docker Image

Step 3: Push the Image Execute the push command to upload the layers to AWS.

docker push [Account-ID].dkr.ecr.ap-southeast-1.amazonaws.com/band-up-frontend:v1.0.0

Push Image Process

7. Final Verification

Return to the Amazon ECR Console and open the band-up-frontend repository. You should see the image with the tag v1.0.0 listed successfully.

Verify Image in Console