If you want to use an on-premises instance of ninkik and make use of Amazon Elastic Container Registry to store and distribute your Docker images, you have to set up your AWS environment properly.
In IAM create a new user with read and write permissions for the previously created ECR.
Add the access key and secret access key profile into your ~/.aws/credentials
file and test the login with
aws --profile docker-user ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin 1666666666.dkr.ecr.eu-central-1.amazonaws.com
docker tag hello-world:latest 1666666666.dkr.ecr.eu-central-1.amazonaws.com/hello-world:latest
ninkik gets informed by an Amazon SQS queue in which events from the ECR published.
The next step is to configure EventBridge to send ECR events to the previously created SQS queue.
{
"account": [
"166666666666"
],
"detail-type": [
"ECR Image Action"
],
"detail": {
"result": [
"SUCCESS"
],
"action-type": [
"PUSH"
]
}
}
It matches the pattern defined in Amazon ECR documentation
To let ninkik read the queue's messages and Docker images, go to IAM and create the following two policies. Attach them afterwards to your AWS ninkik user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:DescribeImageScanFindings",
"ecr:GetDownloadUrlForLayer",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:ListImages"
],
"Resource": "arn:aws:ecr:eu-central-1:${YOUR_AWS_ACCOUNT_ID}:repository/${YOUR_NINKIK_TENANT_UUID}/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-central-1:${YOUR_AWS_ACCOUNT_ID}:ecr-docker-push"
}
]
}
After that, attach both policies to your AWS ninkik user.