CreatePullThroughCacheRule - Amazon Elastic Container Registry
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

CreatePullThroughCacheRule

Creates a pull through cache rule. A pull through cache rule provides a way to cache images from an upstream registry source in your Amazon ECR private registry. For more information, see Using pull through cache rules in the Amazon Elastic Container Registry User Guide.

Request Syntax

{ "credentialArn": "string", "ecrRepositoryPrefix": "string", "registryId": "string", "upstreamRegistry": "string", "upstreamRegistryUrl": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

credentialArn

The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret that identifies the credentials to authenticate to the upstream registry.

Type: String

Length Constraints: Minimum length of 50. Maximum length of 612.

Pattern: ^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$

Required: No

ecrRepositoryPrefix

The repository name prefix to use when caching images from the source registry.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 30.

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

Required: Yes

registryId

The Amazon account ID associated with the registry to create the pull through cache rule for. If you do not specify a registry, the default registry is assumed.

Type: String

Pattern: [0-9]{12}

Required: No

upstreamRegistry

The name of the upstream registry.

Type: String

Valid Values: ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registry

Required: No

upstreamRegistryUrl

The registry URL of the upstream public registry to use as the source for the pull through cache rule. The following is the syntax to use for each supported upstream registry.

  • Amazon ECR Public (ecr-public) - public.ecr.aws

  • Docker Hub (docker-hub) - registry-1.docker.io

  • Quay (quay) - quay.io

  • Kubernetes (k8s) - registry.k8s.io

  • GitHub Container Registry (github-container-registry) - ghcr.io

  • Microsoft Azure Container Registry (azure-container-registry) - <custom>.azurecr.io

Type: String

Required: Yes

Response Syntax

{ "createdAt": number, "credentialArn": "string", "ecrRepositoryPrefix": "string", "registryId": "string", "upstreamRegistry": "string", "upstreamRegistryUrl": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

createdAt

The date and time, in JavaScript date format, when the pull through cache rule was created.

Type: Timestamp

credentialArn

The Amazon Resource Name (ARN) of the Amazon Secrets Manager secret associated with the pull through cache rule.

Type: String

Length Constraints: Minimum length of 50. Maximum length of 612.

Pattern: ^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$

ecrRepositoryPrefix

The Amazon ECR repository prefix associated with the pull through cache rule.

Type: String

Length Constraints: Minimum length of 2. Maximum length of 30.

Pattern: (?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*

registryId

The registry ID associated with the request.

Type: String

Pattern: [0-9]{12}

upstreamRegistry

The name of the upstream registry associated with the pull through cache rule.

Type: String

Valid Values: ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registry

upstreamRegistryUrl

The upstream registry URL associated with the pull through cache rule.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

InvalidParameterException

The specified parameter is invalid. Review the available parameters for the API request.

HTTP Status Code: 400

LimitExceededException

The operation did not succeed because it would have exceeded a service limit for your account. For more information, see Amazon ECR service quotas in the Amazon Elastic Container Registry User Guide.

HTTP Status Code: 400

PullThroughCacheRuleAlreadyExistsException

A pull through cache rule with these settings already exists for the private registry.

HTTP Status Code: 400

SecretNotFoundException

The ARN of the secret specified in the pull through cache rule was not found. Update the pull through cache rule with a valid secret ARN and try again.

HTTP Status Code: 400

ServerException

These errors are usually caused by a server-side issue.

HTTP Status Code: 500

UnableToAccessSecretException

The secret is unable to be accessed. Verify the resource permissions for the secret and try again.

HTTP Status Code: 400

UnableToDecryptSecretValueException

The secret is accessible but is unable to be decrypted. Verify the resource permisisons and try again.

HTTP Status Code: 400

UnsupportedUpstreamRegistryException

The specified upstream registry isn't supported.

HTTP Status Code: 400

ValidationException

There was an exception validating this request.

HTTP Status Code: 400

Examples

In the following example or examples, the Authorization header contents (AUTHPARAMS) must be replaced with an Amazon Signature Version 4 signature. For more information about creating these signatures, see Signature Version 4 Signing Process in the Amazon General Reference.

You only need to learn how to sign HTTP requests if you intend to manually create them. When you use the Amazon Command Line Interface (Amazon CLI) or one of the Amazon SDKs to make requests to Amazon, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.

Example

This example creates a pull through cache rule for Docker Hub in the default registry for an account.

Sample Request

POST / HTTP/1.1 Host: api.ecr.us-west-2.amazonaws.com Accept-Encoding: identity X-Amz-Target: AmazonEC2ContainerRegistry_V20150921.CreatePullThroughCacheRule Content-Type: application/x-amz-json-1.1 User-Agent: aws-cli/2.13.22 Python/3.11.5 Darwin/16.7.0 botocore/1.12.180 X-Amz-Date: 20231003T155747Z Authorization: AUTHPARAMS Content-Length: 268 { "ecrRepositoryPrefix":"docker_hub", "upstreamRegistryUrl":"registry-1.docker.io", "credentialArn":"arn:aws:secretsmanager:us-west-2:012345678910:secret:ECRPTCDockerHub-EXAMPLE" }

Sample Response

HTTP/1.1 200 OK x-amzn-RequestId: 123a4b56-7c89-01d2-3ef4-example5678f Content-Type: application/x-amz-json-1.1 Content-Length: 180 Connection: keep-alive { "ecrRepositoryPrefix": "docker_hub", "upstreamRegistryUrl": "registry-1.docker.io", "createdAt": "2023-10-03T15:57:48.411000+00:00", "registryId": "012345678910", "upstreamRegistry": "docker-hub", "credentialArn": "arn:aws:secretsmanager:us-west-2:012345678910:secret:ECRPTCDockerHub-EXAMPLE" }

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: