2020/07/29 - Amazon EC2 Container Registry - 5 updated api methods
Changes This release adds support for encrypting the contents of your Amazon ECR repository with customer master keys (CMKs) stored in AWS Key Management Service.
{'failures': {'failureCode': {'KmsError'}}}
Deletes a list of specified images within a repository. Images are specified with either an imageTag or imageDigest .
You can remove a tag from an image by specifying the image's tag in your request. When you remove the last tag from an image, the image is deleted from your repository.
You can completely delete an image (and all of its tags) by specifying the image's digest in your request.
See also: AWS API Documentation
Request Syntax
client.batch_delete_image(
registryId='string',
repositoryName='string',
imageIds=[
{
'imageDigest': 'string',
'imageTag': 'string'
},
]
)
string
The AWS account ID associated with the registry that contains the image to delete. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The repository that contains the image to delete.
list
[REQUIRED]
A list of image ID references that correspond to images to delete. The format of the imageIds reference is imageTag=tag or imageDigest=digest .
(dict) --
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
dict
Response Syntax
{
'imageIds': [
{
'imageDigest': 'string',
'imageTag': 'string'
},
],
'failures': [
{
'imageId': {
'imageDigest': 'string',
'imageTag': 'string'
},
'failureCode': 'InvalidImageDigest'|'InvalidImageTag'|'ImageTagDoesNotMatchDigest'|'ImageNotFound'|'MissingDigestAndTag'|'ImageReferencedByManifestList'|'KmsError',
'failureReason': 'string'
},
]
}
Response Structure
(dict) --
imageIds (list) --
The image IDs of the deleted images.
(dict) --
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
failures (list) --
Any failures associated with the call.
(dict) --
An object representing an Amazon ECR image failure.
imageId (dict) --
The image ID associated with the failure.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
failureCode (string) --
The code associated with the failure.
failureReason (string) --
The reason for the failure.
{'failures': {'failureCode': {'KmsError'}}}
Gets detailed information for an image. Images are specified with either an imageTag or imageDigest .
When an image is pulled, the BatchGetImage API is called once to retrieve the image manifest.
See also: AWS API Documentation
Request Syntax
client.batch_get_image(
registryId='string',
repositoryName='string',
imageIds=[
{
'imageDigest': 'string',
'imageTag': 'string'
},
],
acceptedMediaTypes=[
'string',
]
)
string
The AWS account ID associated with the registry that contains the images to describe. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The repository that contains the images to describe.
list
[REQUIRED]
A list of image ID references that correspond to images to describe. The format of the imageIds reference is imageTag=tag or imageDigest=digest .
(dict) --
An object with identifying information for an Amazon ECR image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
list
The accepted media types for the request.
Valid values: application/vnd.docker.distribution.manifest.v1+json | application/vnd.docker.distribution.manifest.v2+json | application/vnd.oci.image.manifest.v1+json
(string) --
dict
Response Syntax
{
'images': [
{
'registryId': 'string',
'repositoryName': 'string',
'imageId': {
'imageDigest': 'string',
'imageTag': 'string'
},
'imageManifest': 'string',
'imageManifestMediaType': 'string'
},
],
'failures': [
{
'imageId': {
'imageDigest': 'string',
'imageTag': 'string'
},
'failureCode': 'InvalidImageDigest'|'InvalidImageTag'|'ImageTagDoesNotMatchDigest'|'ImageNotFound'|'MissingDigestAndTag'|'ImageReferencedByManifestList'|'KmsError',
'failureReason': 'string'
},
]
}
Response Structure
(dict) --
images (list) --
A list of image objects corresponding to the image references in the request.
(dict) --
An object representing an Amazon ECR image.
registryId (string) --
The AWS account ID associated with the registry containing the image.
repositoryName (string) --
The name of the repository associated with the image.
imageId (dict) --
An object containing the image tag and image digest associated with an image.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
imageManifest (string) --
The image manifest associated with the image.
imageManifestMediaType (string) --
The media type associated with the image manifest.
failures (list) --
Any failures associated with the call.
(dict) --
An object representing an Amazon ECR image failure.
imageId (dict) --
The image ID associated with the failure.
imageDigest (string) --
The sha256 digest of the image manifest.
imageTag (string) --
The tag used for the image.
failureCode (string) --
The code associated with the failure.
failureReason (string) --
The reason for the failure.
{'encryptionConfiguration': {'encryptionType': 'AES256 | KMS',
'kmsKey': 'string'}}
Response {'repository': {'encryptionConfiguration': {'encryptionType': 'AES256 | KMS',
'kmsKey': 'string'}}}
Creates a repository. For more information, see Amazon ECR Repositories in the Amazon Elastic Container Registry User Guide .
See also: AWS API Documentation
Request Syntax
client.create_repository(
repositoryName='string',
tags=[
{
'Key': 'string',
'Value': 'string'
},
],
imageTagMutability='MUTABLE'|'IMMUTABLE',
imageScanningConfiguration={
'scanOnPush': True|False
},
encryptionConfiguration={
'encryptionType': 'AES256'|'KMS',
'kmsKey': 'string'
}
)
string
[REQUIRED]
The name to use for the repository. The repository name may be specified on its own (such as nginx-web-app ) or it can be prepended with a namespace to group the repository into a category (such as project-a/nginx-web-app ).
list
The metadata that you apply to the repository to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
(dict) --
The metadata that you apply to a resource to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. Tag keys can have a maximum character length of 128 characters, and tag values can have a maximum length of 256 characters.
Key (string) --
One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.
Value (string) --
The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).
string
The tag mutability setting for the repository. If this parameter is omitted, the default setting of MUTABLE will be used which will allow image tags to be overwritten. If IMMUTABLE is specified, all image tags within the repository will be immutable which will prevent them from being overwritten.
dict
The image scanning configuration for the repository. This determines whether images are scanned for known vulnerabilities after being pushed to the repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
dict
The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
encryptionType (string) -- [REQUIRED]
The encryption type to use.
If you use the KMS encryption type, the contents of the repository will be encrypted using server-side encryption with customer master keys (CMKs) stored in AWS KMS. When you use AWS KMS to encrypt your data, you can either use the default AWS managed CMK for Amazon ECR, or specify your own CMK, which you already created. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS) in the Amazon Simple Storage Service Console Developer Guide. .
If you use the AES256 encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES-256 encryption algorithm. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon Simple Storage Service Console Developer Guide. .
kmsKey (string) --
If you use the KMS encryption type, specify the CMK to use for encryption. The alias, key ID, or full ARN of the CMK can be specified. The key must exist in the same Region as the repository. If no key is specified, the default AWS managed CMK for Amazon ECR will be used.
dict
Response Syntax
{
'repository': {
'repositoryArn': 'string',
'registryId': 'string',
'repositoryName': 'string',
'repositoryUri': 'string',
'createdAt': datetime(2015, 1, 1),
'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
'imageScanningConfiguration': {
'scanOnPush': True|False
},
'encryptionConfiguration': {
'encryptionType': 'AES256'|'KMS',
'kmsKey': 'string'
}
}
}
Response Structure
(dict) --
repository (dict) --
The repository that was created.
repositoryArn (string) --
The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test .
registryId (string) --
The AWS account ID associated with the registry that contains the repository.
repositoryName (string) --
The name of the repository.
repositoryUri (string) --
The URI for the repository. You can use this URI for container image push and pull operations.
createdAt (datetime) --
The date and time, in JavaScript date format, when the repository was created.
imageTagMutability (string) --
The tag mutability setting for the repository.
imageScanningConfiguration (dict) --
The image scanning configuration for a repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
encryptionConfiguration (dict) --
The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
encryptionType (string) --
The encryption type to use.
If you use the KMS encryption type, the contents of the repository will be encrypted using server-side encryption with customer master keys (CMKs) stored in AWS KMS. When you use AWS KMS to encrypt your data, you can either use the default AWS managed CMK for Amazon ECR, or specify your own CMK, which you already created. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS) in the Amazon Simple Storage Service Console Developer Guide. .
If you use the AES256 encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES-256 encryption algorithm. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon Simple Storage Service Console Developer Guide. .
kmsKey (string) --
If you use the KMS encryption type, specify the CMK to use for encryption. The alias, key ID, or full ARN of the CMK can be specified. The key must exist in the same Region as the repository. If no key is specified, the default AWS managed CMK for Amazon ECR will be used.
{'repository': {'encryptionConfiguration': {'encryptionType': 'AES256 | KMS',
'kmsKey': 'string'}}}
Deletes a repository. If the repository contains images, you must either delete all images in the repository or use the force option to delete the repository.
See also: AWS API Documentation
Request Syntax
client.delete_repository(
registryId='string',
repositoryName='string',
force=True|False
)
string
The AWS account ID associated with the registry that contains the repository to delete. If you do not specify a registry, the default registry is assumed.
string
[REQUIRED]
The name of the repository to delete.
boolean
If a repository contains images, forces the deletion.
dict
Response Syntax
{
'repository': {
'repositoryArn': 'string',
'registryId': 'string',
'repositoryName': 'string',
'repositoryUri': 'string',
'createdAt': datetime(2015, 1, 1),
'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
'imageScanningConfiguration': {
'scanOnPush': True|False
},
'encryptionConfiguration': {
'encryptionType': 'AES256'|'KMS',
'kmsKey': 'string'
}
}
}
Response Structure
(dict) --
repository (dict) --
The repository that was deleted.
repositoryArn (string) --
The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test .
registryId (string) --
The AWS account ID associated with the registry that contains the repository.
repositoryName (string) --
The name of the repository.
repositoryUri (string) --
The URI for the repository. You can use this URI for container image push and pull operations.
createdAt (datetime) --
The date and time, in JavaScript date format, when the repository was created.
imageTagMutability (string) --
The tag mutability setting for the repository.
imageScanningConfiguration (dict) --
The image scanning configuration for a repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
encryptionConfiguration (dict) --
The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
encryptionType (string) --
The encryption type to use.
If you use the KMS encryption type, the contents of the repository will be encrypted using server-side encryption with customer master keys (CMKs) stored in AWS KMS. When you use AWS KMS to encrypt your data, you can either use the default AWS managed CMK for Amazon ECR, or specify your own CMK, which you already created. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS) in the Amazon Simple Storage Service Console Developer Guide. .
If you use the AES256 encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES-256 encryption algorithm. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon Simple Storage Service Console Developer Guide. .
kmsKey (string) --
If you use the KMS encryption type, specify the CMK to use for encryption. The alias, key ID, or full ARN of the CMK can be specified. The key must exist in the same Region as the repository. If no key is specified, the default AWS managed CMK for Amazon ECR will be used.
{'repositories': {'encryptionConfiguration': {'encryptionType': 'AES256 | KMS',
'kmsKey': 'string'}}}
Describes image repositories in a registry.
See also: AWS API Documentation
Request Syntax
client.describe_repositories(
registryId='string',
repositoryNames=[
'string',
],
nextToken='string',
maxResults=123
)
string
The AWS account ID associated with the registry that contains the repositories to be described. If you do not specify a registry, the default registry is assumed.
list
A list of repositories to describe. If this parameter is omitted, then all repositories in a registry are described.
(string) --
string
The nextToken value returned from a previous paginated DescribeRepositories request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return. This option cannot be used when you specify repositories with repositoryNames .
Note
This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.
integer
The maximum number of repository results returned by DescribeRepositories in paginated output. When this parameter is used, DescribeRepositories only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeRepositories request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribeRepositories returns up to 100 results and a nextToken value, if applicable. This option cannot be used when you specify repositories with repositoryNames .
dict
Response Syntax
{
'repositories': [
{
'repositoryArn': 'string',
'registryId': 'string',
'repositoryName': 'string',
'repositoryUri': 'string',
'createdAt': datetime(2015, 1, 1),
'imageTagMutability': 'MUTABLE'|'IMMUTABLE',
'imageScanningConfiguration': {
'scanOnPush': True|False
},
'encryptionConfiguration': {
'encryptionType': 'AES256'|'KMS',
'kmsKey': 'string'
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
repositories (list) --
A list of repository objects corresponding to valid repositories.
(dict) --
An object representing a repository.
repositoryArn (string) --
The Amazon Resource Name (ARN) that identifies the repository. The ARN contains the arn:aws:ecr namespace, followed by the region of the repository, AWS account ID of the repository owner, repository namespace, and repository name. For example, arn:aws:ecr:region:012345678910:repository/test .
registryId (string) --
The AWS account ID associated with the registry that contains the repository.
repositoryName (string) --
The name of the repository.
repositoryUri (string) --
The URI for the repository. You can use this URI for container image push and pull operations.
createdAt (datetime) --
The date and time, in JavaScript date format, when the repository was created.
imageTagMutability (string) --
The tag mutability setting for the repository.
imageScanningConfiguration (dict) --
The image scanning configuration for a repository.
scanOnPush (boolean) --
The setting that determines whether images are scanned after being pushed to a repository. If set to true , images will be scanned after being pushed. If this parameter is not specified, it will default to false and images will not be scanned unless a scan is manually started with the StartImageScan API.
encryptionConfiguration (dict) --
The encryption configuration for the repository. This determines how the contents of your repository are encrypted at rest.
encryptionType (string) --
The encryption type to use.
If you use the KMS encryption type, the contents of the repository will be encrypted using server-side encryption with customer master keys (CMKs) stored in AWS KMS. When you use AWS KMS to encrypt your data, you can either use the default AWS managed CMK for Amazon ECR, or specify your own CMK, which you already created. For more information, see Protecting Data Using Server-Side Encryption with CMKs Stored in AWS Key Management Service (SSE-KMS) in the Amazon Simple Storage Service Console Developer Guide. .
If you use the AES256 encryption type, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys which encrypts the images in the repository using an AES-256 encryption algorithm. For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon Simple Storage Service Console Developer Guide. .
kmsKey (string) --
If you use the KMS encryption type, specify the CMK to use for encryption. The alias, key ID, or full ARN of the CMK can be specified. The key must exist in the same Region as the repository. If no key is specified, the default AWS managed CMK for Amazon ECR will be used.
nextToken (string) --
The nextToken value to include in a future DescribeRepositories request. When the results of a DescribeRepositories request exceed maxResults , this value can be used to retrieve the next page of results. This value is null when there are no more results to return.