Creating an ECR repository
This document will guide you through the creation of an ECR (Elastic Container Registry) repository for your application’s container image.
Creating the registry
You need to have the Cloud Platform CLI tool installed.
Clone the environments repo and create a new branch
$ git clone email@example.com:ministryofjustice/cloud-platform-environments.git $ cd cloud-platform-environments $ git checkout -b add_ecr
Navigate to your namespace directory
$ cd namespaces/live-1.cloud-platform.service.justice.gov.uk/$your_service
Use the CLI tool to create your ECR
$ cloud-platform environment ecr create
This will create a
resources/ecr.tffile in your namespace folder.
git add, commit and push to your branch
Raise a PR to have your change approved
Once your pull request has been approved and merged, it will trigger our build pipeline which will create your ECR.
For more information about the terraform module being used, please read the documentation here.
Accessing the credentials
After your ECR has been created, there will be a Kubernetes secret in your namespace, called
The secret stores the IAM access keys to authenticate with the registry, and the actual repository URL.
Use the Cloud Platform CLI to retrieve the credentials:
cloud-platform decode-secret -n <namespace_name> -s ecr-repo-[your-namespace]
Look for the
If you are using GitHub Actions for your deployment pipeline, the ECR module can automatically manage GitHub Actions Secrets containing the ECR name, and the AWS access/secret keypair required to access it.
resources/ecr.tf file, you should see this section:
# Uncomment and provide repository names to create github actions secrets # containing the ECR name, AWS access key, and AWS secret key, for use in # github actions CI/CD pipelines # github_repositories = ["my-repo"]
To use this feature, uncomment the last line, and set the list of repositories in which you want the GitHub Actions Secrets to be created.
e.g. if you have two GitHub repositories in your project, called
ministryofjustice/backend, you would change the last line to:
github_repositories = ["frontend", "backend"]
Once your PR is merged, those repositories should have secrets named:
ECR_AWS_SECRET_KEY. You can use these secrets in your GitHub Actions pipelines.
See the module documentation for more information.
Managing your ECR repository
There is a maximum number of images per repository for Amazon Elastic Container Registry (ECR). If a new image is created and pushed to ECR on every code change, repositories can quickly fill up with new revisions. So it is important to regularly delete images which are no longer required.
You can delete an image with the AWS CLI using this guide.
Setting up CircleCI
In your CircleCI project, go to the settings (the cog icon) and select ‘AWS Permissions’ from the left hand menu. Fill in the IAM credentials from the kubernetes secret, and CircleCI will be able to pull images from your ECR. For more information please see the official docs.