AWS::ECR::Repository
The AWS::ECR::Repository
resource specifies an Amazon Elastic Container
Registry (Amazon ECR) repository, where users can push and pull Docker images, Open
Container Initiative (OCI) images, and OCI compatible artifacts. For more information,
see Amazon ECR private repositories in the Amazon ECR User
Guide.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::ECR::Repository", "Properties" : { "EmptyOnDelete" :
Boolean
, "EncryptionConfiguration" :EncryptionConfiguration
, "ImageScanningConfiguration" :ImageScanningConfiguration
, "ImageTagMutability" :String
, "LifecyclePolicy" :LifecyclePolicy
, "RepositoryName" :String
, "RepositoryPolicyText" :Json
, "Tags" :[ Tag, ... ]
} }
YAML
Type: AWS::ECR::Repository Properties: EmptyOnDelete:
Boolean
EncryptionConfiguration:EncryptionConfiguration
ImageScanningConfiguration:ImageScanningConfiguration
ImageTagMutability:String
LifecyclePolicy:LifecyclePolicy
RepositoryName:String
RepositoryPolicyText:Json
Tags:- Tag
Properties
EmptyOnDelete
-
If true, deleting the repository force deletes the contents of the repository. If false, the repository must be empty before attempting to delete it.
Required: No
Type: Boolean
Update requires: No interruption
EncryptionConfiguration
-
The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
Required: No
Type: EncryptionConfiguration
Update requires: Replacement
ImageScanningConfiguration
-
The image scanning configuration for the repository. This determines whether images are scanned for known vulnerabilities after being pushed to the repository.
Required: No
Type: ImageScanningConfiguration
Update requires: No interruption
ImageTagMutability
-
The tag mutability setting for the repository. If this parameter is omitted, the default setting of
MUTABLE
will be used which will allow image tags to be overwritten. IfIMMUTABLE
is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.Required: No
Type: String
Allowed values:
MUTABLE | IMMUTABLE
Update requires: No interruption
LifecyclePolicy
-
Creates or updates a lifecycle policy. For information about lifecycle policy syntax, see Lifecycle policy template.
Required: No
Type: LifecyclePolicy
Update requires: No interruption
RepositoryName
-
The name to use for the repository. The repository name may be specified on its own (such as
nginx-web-app
) or it can be prepended with a namespace to group the repository into a category (such asproject-a/nginx-web-app
). If you don't specify a name, Amazon CloudFormation generates a unique physical ID and uses that ID for the repository name. For more information, see Name type.The repository name must start with a letter and can only contain lowercase letters, numbers, hyphens, underscores, and forward slashes.
Note
If you specify a name, you cannot perform updates that require replacement of this resource. You can perform updates that require no or some interruption. If you must replace the resource, specify a new name.
Required: No
Type: String
Pattern:
^(?=.{2,256}$)((?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*)$
Minimum:
2
Maximum:
256
Update requires: Replacement
RepositoryPolicyText
-
The JSON repository policy text to apply to the repository. For more information, see Amazon ECR repository policies in the Amazon Elastic Container Registry User Guide.
Required: No
Type: Json
Minimum:
0
Maximum:
10240
Update requires: No interruption
-
An array of key-value pairs to apply to this resource.
Required: No
Type: Array of Tag
Maximum:
50
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the resource name, such as
test-repository
.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
Arn
-
Returns the Amazon Resource Name (ARN) for the specified
AWS::ECR::Repository
resource. For example,arn:aws:ecr:eu-west-1:123456789012:repository/test-repository
. RepositoryUri
-
Returns the URI for the specified
AWS::ECR::Repository
resource. For example,123456789012.dkr.ecr.us-west-2.amazonaws.com/repository
.
Examples
Specify a repository
The following example specifies a repository named
test-repository
. Its policy permits the users Bob
and Alice
to push and pull images. Note that the IAM
users actually need to exist, or stack creation will fail.
JSON
"MyRepository": { "Type": "AWS::ECR::Repository", "Properties": { "RepositoryName" : "test-repository", "RepositoryPolicyText" : { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/Bob", "arn:aws:iam::123456789012:user/Alice" ] }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload" ] } ] } } }
YAML
MyRepository: Type: AWS::ECR::Repository Properties: RepositoryName: "test-repository" RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: AllowPushPull Effect: Allow Principal: AWS: - "arn:aws:iam::123456789012:user/Bob" - "arn:aws:iam::123456789012:user/Alice" Action: - "ecr:GetDownloadUrlForLayer" - "ecr:BatchGetImage" - "ecr:BatchCheckLayerAvailability" - "ecr:PutImage" - "ecr:InitiateLayerUpload" - "ecr:UploadLayerPart" - "ecr:CompleteLayerUpload"
Specify a repository with an image scanning configuration
The following example creates a repository named test-repository
with image scanning enabled. For more information on image scanning, see Image scanning in the Amazon ECR User
Guide.
JSON
"MyRepository": { "Type": "AWS::ECR::Repository", "Properties": { "RepositoryName" : "test-repository", "ImageScanningConfiguration" : { "ScanOnPush": true } } }
YAML
MyRepository: Type: AWS::ECR::Repository Properties: RepositoryName: "test-repository" ImageScanningConfiguration: ScanOnPush: true
Specify a repository with a lifecycle policy
The following example creates a repository with a lifecycle policy.
JSON
{ "Parameters": { "lifecyclePolicyText": { "Type": "String" }, "repositoryName": { "Type": "String" }, "registryId": { "Type": "String" } }, "Resources": { "MyRepository": { "Type": "AWS::ECR::Repository", "Properties": { "LifecyclePolicy": { "LifecyclePolicyText": { "Ref": "lifecyclePolicyText" }, "RegistryId": { "Ref": "registryId" } }, "RepositoryName": { "Ref": "repositoryName" } } } }, "Outputs": { "Arn": { "Value": { "Fn::GetAtt": [ "MyRepository", "Arn" ] } } } }
YAML
Parameters: lifecyclePolicyText: Type: String repositoryName: Type: String registryId: Type: String Resources: MyRepository: Type: AWS::ECR::Repository Properties: LifecyclePolicy: LifecyclePolicyText: !Ref lifecyclePolicyText RegistryId: !Ref registryId RepositoryName: !Ref repositoryName Outputs: Arn: Value: !GetAtt MyRepository.Arn
See also
-
Creating a lifecycle policy in the Amazon ECR User Guide
-
PutLifecyclePolicy in the Amazon ECR API Reference