< Marvin> I have my flow docker images stored in AWS ECR and Prefect Community #ask-marvin

<@ULVA73B9P> I have my flow docker images stored i...

Marius Haberstock

07/31/2025, 2:40 PM

@Marvin I have my flow docker images stored in AWS ECR, and have a prefect docker worker running on an AWS EC2 instance. How can the prefect docker worker authenticate to AWS ECR?

Marvin

07/31/2025, 2:40 PM

✅ thought for 65.3 seconds

Marvin

07/31/2025, 2:41 PM

Based on the research, I can provide you with a comprehensive solution for authenticating your Prefect Docker worker to AWS ECR. There are a few key steps to ensure proper authentication: 1. AWS CLI Configuration First, ensure the EC2 instance running your Docker worker has the AWS CLI installed and configured. There are two main ways to handle authentication: a) Using an IAM Role (Recommended): - Attach an IAM role to your EC2 instance with the necessary ECR permissions - At minimum, you need these permissions:

Copy code

json
  {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "ecr:GetAuthorizationToken",
                  "ecr:BatchCheckLayerAvailability",
                  "ecr:GetDownloadUrlForLayer",
                  "ecr:BatchGetImage"
              ],
              "Resource": "*"
          }
      ]
  }

- You can use the AWS-managed policy

AmazonEC2ContainerRegistryReadOnly

for simple cases b) Using AWS credentials directly: - Configure AWS credentials using

aws configure

- Store credentials in

~/.aws/credentials

2. Docker Authentication Once AWS is configured, you need to authenticate Docker with ECR. Add this command to your EC2 instance's startup script or run it before starting the Prefect worker:

Copy code

bash
aws ecr get-login-password --region YOUR_REGION | docker login --username AWS --password-stdin <http://YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com|YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com>

Replace: -

YOUR_REGION

with your AWS region (e.g.,

us-east-1

) -

YOUR_ACCOUNT_ID

with your AWS account ID 3. Automatic Token Refresh ECR authentication tokens expire after 12 hours. You can create a simple script to refresh the authentication periodically:

Copy code

bash
#!/bin/bash
while true; do
    aws ecr get-login-password --region YOUR_REGION | docker login --username AWS --password-stdin <http://YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com|YOUR_ACCOUNT_ID.dkr.ecr.YOUR_REGION.amazonaws.com>
    # Sleep for 11 hours (refresh token before 12-hour expiration)
    sleep 39600
done

4. Starting the Worker After authentication is set up, you can start your Prefect Docker worker as normal. The worker will now be able to pull images from ECR using the established authentication. Best Practices: 1. Use IAM roles instead of hard-coded credentials whenever possible 2. Use the principle of least privilege - only grant the permissions needed for pulling images 3. Consider using AWS Systems Manager Parameter Store or Secrets Manager for managing any sensitive credentials 4. Monitor ECR authentication logs for any issues Remember that the authentication needs to be renewed every 12 hours, so ensure your refresh mechanism is reliable if you're running long-term workloads. Would you like me to provide more specific details about any of these aspects or help with troubleshooting specific issues?

2 Views

Open in Slack

Previous Next