Amazon Elastic Container Registry

2025/03/11 - Amazon Elastic Container Registry - 5 updated api methods

Changes  This release adds Amazon ECR to Amazon ECR pull through cache rules support.

CreatePullThroughCacheRule (updated) Link ¶
Changes (both)
{'customRoleArn': 'string',
 'upstreamRegistry': {'ecr'},
 'upstreamRepositoryPrefix': 'string'}

Creates a pull through cache rule. A pull through cache rule provides a way to cache images from an upstream registry source in your Amazon ECR private registry. For more information, see Using pull through cache rules in the Amazon Elastic Container Registry User Guide.

See also: AWS API Documentation

Request Syntax

client.create_pull_through_cache_rule(
    ecrRepositoryPrefix='string',
    upstreamRegistryUrl='string',
    registryId='string',
    upstreamRegistry='ecr'|'ecr-public'|'quay'|'k8s'|'docker-hub'|'github-container-registry'|'azure-container-registry'|'gitlab-container-registry',
    credentialArn='string',
    customRoleArn='string',
    upstreamRepositoryPrefix='string'
)
type ecrRepositoryPrefix:

string

param ecrRepositoryPrefix:

[REQUIRED]

The repository name prefix to use when caching images from the source registry.

type upstreamRegistryUrl:

string

param upstreamRegistryUrl:

[REQUIRED]

The registry URL of the upstream public registry to use as the source for the pull through cache rule. The following is the syntax to use for each supported upstream registry.

  • Amazon ECR ( ecr) – dkr.ecr.<region>.amazonaws.com

  • Amazon ECR Public ( ecr-public) – public.ecr.aws

  • Docker Hub ( docker-hub) – registry-1.docker.io

  • GitHub Container Registry ( github-container-registry) – ghcr.io

  • GitLab Container Registry ( gitlab-container-registry) – registry.gitlab.com

  • Kubernetes ( k8s) – registry.k8s.io

  • Microsoft Azure Container Registry ( azure-container-registry) – <custom>.azurecr.io

  • Quay ( quay) – quay.io

type registryId:

string

param registryId:

The Amazon Web Services account ID associated with the registry to create the pull through cache rule for. If you do not specify a registry, the default registry is assumed.

type upstreamRegistry:

string

param upstreamRegistry:

The name of the upstream registry.

type credentialArn:

string

param credentialArn:

The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that identifies the credentials to authenticate to the upstream registry.

type customRoleArn:

string

param customRoleArn:

Amazon Resource Name (ARN) of the IAM role to be assumed by Amazon ECR to authenticate to the ECR upstream registry. This role must be in the same account as the registry that you are configuring.

type upstreamRepositoryPrefix:

string

param upstreamRepositoryPrefix:

The repository name prefix of the upstream registry to match with the upstream repository name. When this field isn't specified, Amazon ECR will use the ROOT.

rtype:

dict

returns:

Response Syntax

{
    'ecrRepositoryPrefix': 'string',
    'upstreamRegistryUrl': 'string',
    'createdAt': datetime(2015, 1, 1),
    'registryId': 'string',
    'upstreamRegistry': 'ecr'|'ecr-public'|'quay'|'k8s'|'docker-hub'|'github-container-registry'|'azure-container-registry'|'gitlab-container-registry',
    'credentialArn': 'string',
    'customRoleArn': 'string',
    'upstreamRepositoryPrefix': 'string'
}

Response Structure

  • (dict) --

    • ecrRepositoryPrefix (string) --

      The Amazon ECR repository prefix associated with the pull through cache rule.

    • upstreamRegistryUrl (string) --

      The upstream registry URL associated with the pull through cache rule.

    • createdAt (datetime) --

      The date and time, in JavaScript date format, when the pull through cache rule was created.

    • registryId (string) --

      The registry ID associated with the request.

    • upstreamRegistry (string) --

      The name of the upstream registry associated with the pull through cache rule.

    • credentialArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret associated with the pull through cache rule.

    • customRoleArn (string) --

      The ARN of the IAM role associated with the pull through cache rule.

    • upstreamRepositoryPrefix (string) --

      The upstream repository prefix associated with the pull through cache rule.

DeletePullThroughCacheRule (updated) Link ¶
Changes (response)
{'customRoleArn': 'string', 'upstreamRepositoryPrefix': 'string'}

Deletes a pull through cache rule.

See also: AWS API Documentation

Request Syntax

client.delete_pull_through_cache_rule(
    ecrRepositoryPrefix='string',
    registryId='string'
)
type ecrRepositoryPrefix:

string

param ecrRepositoryPrefix:

[REQUIRED]

The Amazon ECR repository prefix associated with the pull through cache rule to delete.

type registryId:

string

param registryId:

The Amazon Web Services account ID associated with the registry that contains the pull through cache rule. If you do not specify a registry, the default registry is assumed.

rtype:

dict

returns:

Response Syntax

{
    'ecrRepositoryPrefix': 'string',
    'upstreamRegistryUrl': 'string',
    'createdAt': datetime(2015, 1, 1),
    'registryId': 'string',
    'credentialArn': 'string',
    'customRoleArn': 'string',
    'upstreamRepositoryPrefix': 'string'
}

Response Structure

  • (dict) --

    • ecrRepositoryPrefix (string) --

      The Amazon ECR repository prefix associated with the request.

    • upstreamRegistryUrl (string) --

      The upstream registry URL associated with the pull through cache rule.

    • createdAt (datetime) --

      The timestamp associated with the pull through cache rule.

    • registryId (string) --

      The registry ID associated with the request.

    • credentialArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret associated with the pull through cache rule.

    • customRoleArn (string) --

      The ARN of the IAM role associated with the pull through cache rule.

    • upstreamRepositoryPrefix (string) --

      The upstream repository prefix associated with the pull through cache rule.

DescribePullThroughCacheRules (updated) Link ¶
Changes (response)
{'pullThroughCacheRules': {'customRoleArn': 'string',
                           'upstreamRegistry': {'ecr'},
                           'upstreamRepositoryPrefix': 'string'}}

Returns the pull through cache rules for a registry.

See also: AWS API Documentation

Request Syntax

client.describe_pull_through_cache_rules(
    registryId='string',
    ecrRepositoryPrefixes=[
        'string',
    ],
    nextToken='string',
    maxResults=123
)
type registryId:

string

param registryId:

The Amazon Web Services account ID associated with the registry to return the pull through cache rules for. If you do not specify a registry, the default registry is assumed.

type ecrRepositoryPrefixes:

list

param ecrRepositoryPrefixes:

The Amazon ECR repository prefixes associated with the pull through cache rules to return. If no repository prefix value is specified, all pull through cache rules are returned.

  • (string) --

type nextToken:

string

param nextToken:

The nextToken value returned from a previous paginated DescribePullThroughCacheRulesRequest request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.

type maxResults:

integer

param maxResults:

The maximum number of pull through cache rules returned by DescribePullThroughCacheRulesRequest in paginated output. When this parameter is used, DescribePullThroughCacheRulesRequest only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribePullThroughCacheRulesRequest request with the returned nextToken value. This value can be between 1 and 1000. If this parameter is not used, then DescribePullThroughCacheRulesRequest returns up to 100 results and a nextToken value, if applicable.

rtype:

dict

returns:

Response Syntax

{
    'pullThroughCacheRules': [
        {
            'ecrRepositoryPrefix': 'string',
            'upstreamRegistryUrl': 'string',
            'createdAt': datetime(2015, 1, 1),
            'registryId': 'string',
            'credentialArn': 'string',
            'customRoleArn': 'string',
            'upstreamRepositoryPrefix': 'string',
            'upstreamRegistry': 'ecr'|'ecr-public'|'quay'|'k8s'|'docker-hub'|'github-container-registry'|'azure-container-registry'|'gitlab-container-registry',
            'updatedAt': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • pullThroughCacheRules (list) --

      The details of the pull through cache rules.

      • (dict) --

        The details of a pull through cache rule.

        • ecrRepositoryPrefix (string) --

          The Amazon ECR repository prefix associated with the pull through cache rule.

        • upstreamRegistryUrl (string) --

          The upstream registry URL associated with the pull through cache rule.

        • createdAt (datetime) --

          The date and time the pull through cache was created.

        • registryId (string) --

          The Amazon Web Services account ID associated with the registry the pull through cache rule is associated with.

        • credentialArn (string) --

          The ARN of the Secrets Manager secret associated with the pull through cache rule.

        • customRoleArn (string) --

          The ARN of the IAM role associated with the pull through cache rule.

        • upstreamRepositoryPrefix (string) --

          The upstream repository prefix associated with the pull through cache rule.

        • upstreamRegistry (string) --

          The name of the upstream source registry associated with the pull through cache rule.

        • updatedAt (datetime) --

          The date and time, in JavaScript date format, when the pull through cache rule was last updated.

    • nextToken (string) --

      The nextToken value to include in a future DescribePullThroughCacheRulesRequest request. When the results of a DescribePullThroughCacheRulesRequest request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.

UpdatePullThroughCacheRule (updated) Link ¶
Changes (request, response)
Request
{'customRoleArn': 'string'}
Response
{'customRoleArn': 'string', 'upstreamRepositoryPrefix': 'string'}

Updates an existing pull through cache rule.

See also: AWS API Documentation

Request Syntax

client.update_pull_through_cache_rule(
    registryId='string',
    ecrRepositoryPrefix='string',
    credentialArn='string',
    customRoleArn='string'
)
type registryId:

string

param registryId:

The Amazon Web Services account ID associated with the registry associated with the pull through cache rule. If you do not specify a registry, the default registry is assumed.

type ecrRepositoryPrefix:

string

param ecrRepositoryPrefix:

[REQUIRED]

The repository name prefix to use when caching images from the source registry.

type credentialArn:

string

param credentialArn:

The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that identifies the credentials to authenticate to the upstream registry.

type customRoleArn:

string

param customRoleArn:

Amazon Resource Name (ARN) of the IAM role to be assumed by Amazon ECR to authenticate to the ECR upstream registry. This role must be in the same account as the registry that you are configuring.

rtype:

dict

returns:

Response Syntax

{
    'ecrRepositoryPrefix': 'string',
    'registryId': 'string',
    'updatedAt': datetime(2015, 1, 1),
    'credentialArn': 'string',
    'customRoleArn': 'string',
    'upstreamRepositoryPrefix': 'string'
}

Response Structure

  • (dict) --

    • ecrRepositoryPrefix (string) --

      The Amazon ECR repository prefix associated with the pull through cache rule.

    • registryId (string) --

      The registry ID associated with the request.

    • updatedAt (datetime) --

      The date and time, in JavaScript date format, when the pull through cache rule was updated.

    • credentialArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret associated with the pull through cache rule.

    • customRoleArn (string) --

      The ARN of the IAM role associated with the pull through cache rule.

    • upstreamRepositoryPrefix (string) --

      The upstream repository prefix associated with the pull through cache rule.

ValidatePullThroughCacheRule (updated) Link ¶
Changes (response)
{'customRoleArn': 'string', 'upstreamRepositoryPrefix': 'string'}

Validates an existing pull through cache rule for an upstream registry that requires authentication. This will retrieve the contents of the Amazon Web Services Secrets Manager secret, verify the syntax, and then validate that authentication to the upstream registry is successful.

See also: AWS API Documentation

Request Syntax

client.validate_pull_through_cache_rule(
    ecrRepositoryPrefix='string',
    registryId='string'
)
type ecrRepositoryPrefix:

string

param ecrRepositoryPrefix:

[REQUIRED]

The repository name prefix associated with the pull through cache rule.

type registryId:

string

param registryId:

The registry ID associated with the pull through cache rule. If you do not specify a registry, the default registry is assumed.

rtype:

dict

returns:

Response Syntax

{
    'ecrRepositoryPrefix': 'string',
    'registryId': 'string',
    'upstreamRegistryUrl': 'string',
    'credentialArn': 'string',
    'customRoleArn': 'string',
    'upstreamRepositoryPrefix': 'string',
    'isValid': True|False,
    'failure': 'string'
}

Response Structure

  • (dict) --

    • ecrRepositoryPrefix (string) --

      The Amazon ECR repository prefix associated with the pull through cache rule.

    • registryId (string) --

      The registry ID associated with the request.

    • upstreamRegistryUrl (string) --

      The upstream registry URL associated with the pull through cache rule.

    • credentialArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret associated with the pull through cache rule.

    • customRoleArn (string) --

      The ARN of the IAM role associated with the pull through cache rule.

    • upstreamRepositoryPrefix (string) --

      The upstream repository prefix associated with the pull through cache rule.

    • isValid (boolean) --

      Whether or not the pull through cache rule was validated. If true, Amazon ECR was able to reach the upstream registry and authentication was successful. If false, there was an issue and validation failed. The failure reason indicates the cause.

    • failure (string) --

      The reason the validation failed. For more details about possible causes and how to address them, see Using pull through cache rules in the Amazon Elastic Container Registry User Guide.