AWS::ECR::PullThroughCacheRule
The AWS::ECR::PullThroughCacheRule resource creates or updates a pull
through cache rule. A pull through cache rule provides a way to cache images from an
upstream registry in your Amazon ECR private registry.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::ECR::PullThroughCacheRule", "Properties" : { "CredentialArn" :String, "EcrRepositoryPrefix" :String, "UpstreamRegistry" :String, "UpstreamRegistryUrl" :String} }
YAML
Type: AWS::ECR::PullThroughCacheRule Properties: CredentialArn:StringEcrRepositoryPrefix:StringUpstreamRegistry:StringUpstreamRegistryUrl:String
Properties
CredentialArn-
The ARN of the Secrets Manager secret associated with the pull through cache rule.
Required: No
Type: String
Pattern:
^arn:aws:secretsmanager:[a-zA-Z0-9-:]+:secret:ecr\-pullthroughcache\/[a-zA-Z0-9\/_+=.@-]+$Minimum:
50Maximum:
612Update requires: Replacement
EcrRepositoryPrefix-
The Amazon ECR repository prefix associated with the pull through cache rule.
Required: No
Type: String
Pattern:
(?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*Minimum:
2Maximum:
30Update requires: Replacement
UpstreamRegistry-
The name of the upstream source registry associated with the pull through cache rule.
Required: No
Type: String
Allowed values:
ecr-public | quay | k8s | docker-hub | github-container-registry | azure-container-registry | gitlab-container-registryUpdate requires: Replacement
UpstreamRegistryUrl-
The upstream registry URL associated with the pull through cache rule.
Required: No
Type: String
Update requires: Replacement
Examples
The following resource examples show how to create a pull through cache rule for a private registry.
Create a pull through cache rule for an upstream registry that requires authentication
The following example creates a pull through cache rule for the upstream
registry Docker Hub, which requires authentication. The authentication
credentials for the upstream registry must be stored in a Secrets Manager secret
with a secret name with a ecr-pullthroughcache/ prefix. You specify
the full Amazon Resource Name (ARN) of the secret. When the pull through cache
rule is used to pull images from the upstream registry, Amazon ECR will create
repositories in your private registry on your behalf with the
docker-hub prefix.
JSON
{ "Resources": { "MyECRPullThroughCacheRule": { "Type": "AWS::ECR::PullThroughCacheRule", "Properties": { "EcrRepositoryPrefix": "docker-hub", "UpstreamRegistryUrl": "registry-1.docker.io", "CredentialArn": "arn:aws:secretsmanager:us-east-2:111122223333:secret:ecr-pullthroughcache/example1234" } } } }
YAML
Resources: MyECRPullThroughCacheRule: Type: 'AWS::ECR::PullThroughCacheRule' Properties: EcrRepositoryPrefix: 'docker-hub' UpstreamRegistryUrl: 'registry-1.docker.io' CredentialArn: 'arn:aws:secretsmanager:us-east-2:111122223333:secret:ecr-pullthroughcache/example1234' UpstreamRegistry: 'docker-hub'
Create a pull through cache rule for an upstream registry that does not require authentication
The following example creates a pull through cache rule that caches
repositories with the name prefix ecr-public from the Amazon ECR
Public registry into your private registry.
JSON
{ "Resources": { "MyECRPullThroughCacheRule": { "Type": "AWS::ECR::PullThroughCacheRule", "Properties": { "EcrRepositoryPrefix": "ecr-public", "UpstreamRegistryUrl": "public.ecr.aws" } } } }
YAML
Resources: MyECRPullThroughCacheRule: Type: 'AWS::ECR::PullThroughCacheRule' Properties: EcrRepositoryPrefix: 'ecr-public' UpstreamRegistryUrl: 'public.ecr.aws' UpstreamRegistry: 'ecr-public'
