Authorize Uffizzi to Pull Container Images from ECR
To fetch container images from your private ECR repositories, Uffizzi requires an API access key for an IAM User within your AWS Account. It's a best practice to grant this user only the permissions required. This section will walk you through creating a new IAM User, granting it strict permissions, and creating an API access key.
The easiest way to create this user is to use the AWS Command Line Interface. Make sure you have installed and configured the `aws` command on your workstation or container, including setting the default region to match your ECR repositories.
Create a new IAM User within your AWS Account. If you get an error that it already exists, that's fine.
aws iam create-user --user-name uffizzi --output table
Attach an Amazon-managed policy to the new User. This grants permission only to list and read images.
aws iam attach-user-policy --user-name uffizzi --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
Create and obtain an API access key for this user. You'll need the output of this command soon.
aws iam create-access-key --user-name uffizzi --query "[join(' ', ['Access Key ID:', AccessKey.AccessKeyId]), join(' ', ['Secret Access Key:', AccessKey.SecretAccessKey])]" --output table
When you configure ECR within Uffizzi, you'll need those values.
Configure Webhooks for Automatic Deployments from Amazon ECR
After configuring your AWS Elastic Container Registry, you'll probably also want to enable automatic deployments when you push a new container image. This requires configuring AWS EventBridge to send Uffizzi notifications via "webhook" HTTP requests. This section will walk you through configuring these webhooks.
The easiest way to configure these webhooks is to use the AWS Command Line Interface. Make sure you have installed and configured the `aws` command on your workstation or container, including setting the default region to match your ECR repositories.
Download a shell script attached to this article to configure these webhooks for you:
Review the contents so you understand what you're executing. Then execute the script:
You should see output about the resource you've just created. If you see errors about resources already existing that's fine; that means someone else has already configured them.
You should also see the EventBridge Rule and other resources within the AWS Console:
Removing Webhook Configuration
We've also provided a script to remove all of this configuration. Use this when you want to re-configure the webhooks or when you no longer require automatic deployment to Uffizzi.
Download the removal script:
Review the contents so you understand what you're executing. Then execute the removal script:
Removing IAM User
You can revoke Uffizzi's access to your ECR repositories by detaching the policy from the IAM User:
aws iam detach-user-policy --user-name uffizzi --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
If no longer needed, you can then delete the IAM User. You must first delete all of the user's API Access Keys.