Skip to content

Instantly share code, notes, and snippets.

@myaser

myaser/01-README.md

Last active January 26, 2020 12:20
Show Gist options
  • Save myaser/13c9af26bcf58ef1e66b711de53e4e57 to your computer and use it in GitHub Desktop.
Save myaser/13c9af26bcf58ef1e66b711de53e4e57 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
01-README.md

AWS ECR proxy

an nginx image configured to act as a proxy for ECR repository The container will renew the aws token every 6 hours.

configueration

AWS credentials

set the environment variables:

AWS_KEY
AWS_SECRET
REGION

alternativly bind a volume containing ini file with these values, by default the file path should be /root/.aws/config you can customize the path by passing the environment variable

AWS_CONFIG_FILE

nginx security control

optionally you can add the security control directives to a file and add a volume to bind it to the container then the container will configure nginx to use these security control directives. you will need to set the environment variable

SECURITY_CONTROL_CONFIGS

other configureations

RENEW_TOKEN - optional, duration to renew the token. default 6h
REGISTRY_ID - optional, used for cross account access
Raw
02-docker-compose.yml
version: '3.7'
services:
ecr-proxy:
image: myaser/ecr-proxy:1.3.0
ports:
- published: 80
target: 80
- published: 443
target: 443
healthcheck:
test: wget http://localhost/ping -q -O - || exit 1
interval: 60s
timeout: 5s
retries: 2
start_period: 60s
secrets:
- source: ecr_config_file
target: config
mode: 600
configs:
- source: ecr_security_contorls
target: /etc/nginx/security_controls
environment:
- AWS_CONFIG_FILE=/run/secrets/config
- SECURITY_CONTROL_CONFIGS=/etc/nginx/security_controls
deploy:
replicas: 1
restart_policy:
condition: on-failure
resources:
limits:
cpus: '0.3'
memory: 256M
reservations:
cpus: '0.05'
memory: 32M
secrets:
ecr_config_file:
file: ./aws_config
configs:
ecr_security_contorls:
file: ./security_controls
Raw
03-aws_config
[default]
aws_access_key_id = my_aws_key
aws_secret_access_key = my_aws_secret
region = region
Raw
04-security_controls
allow 127.0.0.1;
allow 10.0.0.0/16;
deny all;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment