Does AWS Fargate support pulling images from private container registry yet?
As of now, I'm pushing all the images up to dkr.ecr and can't find any documentation around support for private repos.
Yes, as of September 10, 2018. The key is to store your private registry credentials in AWS Secrets Manager and provide the ARN as a container level parameter while registering your task definition.
You can now authenticate container images from any private registry to
run task with AWS Fargate.
Previously, if you wanted to run Amazon Elastic Container Service
(Amazon ECS) tasks that used images from a private registry, you were
restricted to the EC2 launch type configuration. This is because with
EC2 launch type, you could authenticate the underlying instance to a
private registry by modifying your instance's environment variables.
Since Fargate allows you to run containers without having to manage
underlying EC2 instances, you couldn’t authenticate these instances to
any private registry except Amazon Elastic Container Registry (Amazon
ECR).
Now, you can use any private registry of your choice with Fargate or
EC2 launch types. You will first store your private registry
credentials in AWS Secrets Manager. You will then provide the
secret-manager ARN or the secret name as container level parameter
while registering your task definition. To learn more about how you
can use private registries with AWS Fargate, read our documentation or
check out our blog.
Please visit the AWS region table to see all AWS regions where AWS
Fargate is available.
AWS Fargate Now Supports Private Registry Authentication
Related
I want to test my AWS Step Function state machine with AWS Step Functions Local (https://docs.aws.amazon.com/step-functions/latest/dg/sfn-local.html), where I mock specific AWS Service operations via a faked HTTP Server as endpoint.
AWS Step Functions Local in general works just fine; I can create & start the state machine successfully.
But I use some (Service-)Tasks that utilise the generic AWS SDK Client (e.g. CodeCommit) rather then "optimised" Tasks (e.g. DynamoDB).
The endpoints for the latter can be overridden, e.g. by Environment Variables for docker (see https://docs.aws.amazon.com/step-functions/latest/dg/sfn-local-config-options.html).
But I see no option to override the "generic" AWS SDK endpoint, thus AWS Step Functions Local uses the actual AWS Endpoints (https://{service}.{region}.amazonaws.com), which is not what I want.
Does anyone know if this can be achieved in some way?
Or, if not, maybe this feature can be requested somehow?
Cheers!
I'm trying to use watchtower on ECS Fargate. But the documentation says watchtower must bind to /var/run/docker.sock. But AFAIK ECS Fargate doesn't support that.
Is there a way to use watchtower with AWS Fargate?
You can't map the Docker socket in Fargate. You need to build a simple Pipeline that checks for new container images and redeploy an ECS/Fargate service when it detects a new image.
This is a good blog post if you want to go down this route.
Deployed Spinnaker in AWS to run a test in the same account. However unable to configure server groups. If I click create the task is queued with the account configured via hal on the CLI. Anyway to troubleshoot this, the logs are looking light.
Storage backend needs to be configured correctly.
https://www.spinnaker.io/setup/install/storage/
I was trying to deploy AWS services using cloudFormation. I was successful with deploy for particular region. Now i wanted to deploy some of AWS Services in different region for example i have EC2, Lambda and S3 for deployment and i have to deploy EC2 and lambda on us-west region and S3 on EU-East and US-WEST region.
Can this possible with one template.
I went thought AWS Stack Set but i think this will deploy to all AWS Service to all mention region. I wanted to have some AWS Services to some region and some with only one specific region.
Assuming you're using the CLI, your best option is to have multiple profiles configured and then perform two deployments with different profiles for each deployment. Secondarily, you can use parameters as input to your template and use a conditional statement to deploy different resources based on the region you're targeting. Relevant links -
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
https://forums.aws.amazon.com/thread.jspa?threadID=162459
I want to make sure I'm not storing sensitive keys and credentials in source or in docker images. Specifically I'd like to store my MySQL RDS application credentials and copy them when the container/task starts. The documentation provides an example of retrieving the ecs.config file from s3 and I'd like to do something similar.
I'm using the Amazon ECS optimized AMI with an auto scaling group that registers with my ECS cluster. I'm using the ghost docker image without any customization. Is there a way to configure what I'm trying to do?
You can define a volume on the host and map it to the container with Read only privileges.
Please refer to the following documentation for configuring ECS volume for an ECS task.
http://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_data_volumes.html
Even though the container does not have the config at build time, it will read the configs as if they are available in its own file system.
There are many ways to secure the config on the host OS.
In my past projects, I have achieved the same by disabling ssh into the host and injecting the config at boot-up using cloud-init.