ECR Credentials


Does the Rancher credentials updater work in 2.0. I am unable to get the container to launch.

Any help for any strategy to pull images from AWS ECR would be greatly appreciated. I have everything spun up and ready to go, this is my last hurdle to seeing our app running on this!!

Many thanks,

You don’t need that, kubernetes handles it

disregard, it looks like i forgot to enable the aws cloud provider on that test instance. seems to be able to pull from ECR just fine.

I installed Rancher 2.0 today and created a cluster with a few nodes. The version of Kubelet is v1.10.1 and the document linked in @alex88 message specify that Kubernetes handles it if Kubelet is v1.2.0 or newer. Did I miss something when I setup my nodes? Thank you.

Edit: Waiting fixed the issue. Woke up this morning and the docker image was successfully pulled and downloaded. Would love to know if there is a way to trigger manually the ecr authentication.

I have a local server where I run rancher 2.0 now.
But I have images that are located in the AWS ECR, so I would like to be able to pull the images out of the cloud.

The closest I found to deal with this was on this site:

but it would be very interesting if the rancher did this automatically to the user.

1 Like


I have exactly the same problem. I have followed the link to that Docker rancher/rancher-ecr-credentials but I really dont understand how this would work.

So I can put the container on one of my nodes of Rancher and start it but I dont get which ENV variables you have to pass to the container on start.

I understand AWS_KEY AWS_SECRET which I have but I dont get why do I need this AWS_ROLE_ARN …

I mean I have the KEY and the SECRET and normally this is enough to authenticate on all AWS services why do I need to provide that AWS_ROLE_ARN ? Do I really need that ? Also why do I have to map /root/.aws to the container if I am already passing it KEY and SECRET via ENV variables ?

This is really crap guys how is the hell possible such an important thing as using AWS ECR is NOT integrated in Rancher 2.0 ? What the heck ?

Could you please help me understanding this ?


You’re looking at a service for 1.x. Kubernetes has built in support for ECR, on clusters in AWS using the AWS cloud provider. For anything else, Amazon chooses to make their registry hard to use outside of their garden by requiring session tokens.

If you can’t be polite you will not be welcome here.

1 Like

Hi Vincent,

My apologies. I have been rather under pressure lately and the last thing I was expecting was having troubles using one of the simplest services out there. I mean ECR is probably one of the most used Container Registries in the world how can it be so difficult to have it working ?

Please take a look at my post … could you be able to help me ? For our organization using AWS ECR is an absolute must.

Any help would be immensely appreciated.

Thanks in advance.

You can spin up a special container that handles the updates of your ECR session tokens:

Here is a version with some tweaks, too:
GitHub - sehucke/ecr-updater: Allows use of AWS ECR registries with Kubernetes no matter where your cluster is running.. Minor tweaks aside, most important change was to use a kubectl-proxy implementation that is more open sourced and has a credible author (Lachlan Evenson / lachie83 @ Github). But this is up to you. :slight_smile:

See as well: How to refresh ECR credentials in a non-AWS Rancher 2.x installation · Issue #14907 · rancher/rancher · GitHub

The above mentioned solution works pretty well to keep your ECR login token valid. But currently there are some obstacles to work around to successfully deploy using your ECR registry.

  1. See Private registry not working → You have to manually alter the yaml file of your workloads to include this:

      - name: myk8sregistrysecret

    And you have to do that every time you alter your workload.

    1. Configure a new workload to use your ECR registry and launch it.
    2. Edit your workload’s yaml definition and insert imagePullSecrets... at the correct line.
    3. Upgrade your workload with the new yaml definition.
  2. And a minor one: You have to specify the full URI to your ECR registry when you deploy a workload. It is not possible to choose a registry to pull from and just type myimage:stable as you are used to when pulling from Docker Hub.

AFAIK, the guys @ Rancher Labs are working on both topics (scheduled for v2.1.2 and v2.2). See @ Github: rancher/rancher/issues/15725, rancher/rancher/issues/13339 and rancher/rancher/issues/15554 (the Github issues got a bit confusing, though :slight_smile: )

People are not inclined to be polite when rancher staff either ignore messages or take weeks/months to reply. If that’s how it works here, who in their right mind would PAY for support? Besides, the way your documentation sucks, getting angry customers is something you will have to get used to. If you don’t have the skills and patience to deal with that you are in the wrong place. #DontBeASnowflake

The ECR password for private repos change every 12 hours. To update them I created a cronjob on the machine/vm running the Rancher server that runs the script described here:

You are not entitled to anything from anybody just because you use our free software.
If you can’t be civil and constructive, you will not post anything in any of our community channels.

Employees have actual jobs and no engineers are paid specifically to answer you here, especially when you’re rude and don’t answer us either. Lots of companies are happy to pay for access to people whose job that is.

And I am sure potential paying customers will be so impressed with your attitude as representative of the company’s values.

Hi everyone! My company uses AWS ECR, Bitbucket, CircleCI and Rancher. Management would like to move from CircleCI to Rancher pipeline CI CD. I’m new for Rancher, so I was able to integrate Bitbucket repos with Rancher Pipeline, all images located in AWS ECR. when I run pipeline script it cannot communicate with ECR and shows up “no basic auth credentials”. In circleci we have variables option where we can add values to have an access to AWS ECR such AWS ID, Access key, Secret, Region. I use Dockerfile to build app and it pulling image from AWS ECR. Can someone explain me step by step how to add AWS variables to Rancher v.2.5.9, please? Thank you