ECR Image Inspector

Published: 2024-02-29

David Edelstein

I was trying to investigate a base image for an old image I had in ECR. The image was built with an ARG for the base, so I wanted to see if I could figure out what was setup at build time for that old image. I was mostly unsuccessful :(. Although some of the scripts below were interesting

Install awscli - for this user only b/c I don’t have global permissions

pip install awscli --user

Export required secrets. copy paste from control tower for this account+role

export AWS_ACCESS_KEY_ID="AAAAAA"
export AWS_SECRET_ACCESS_KEY="AAAA"
export AWS_SESSION_TOKEN="AAA"

Configure awscli with export variables

python -m awscli configure

Login to docker

python -m awscli ecr get-login-password | docker login -u AWS --password-stdin https://$ACCOUNT.dkr.ecr.us-east-1.amazonaws.com

Pull the image

docker pull $ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/$ECR_REPOSITORY:$IMAGE

Inspect using basic tools!

docker inspect $IMAGE

Unfortunately this tells you only strange information about file system etc as resolved by hash. It doesn’t tell you the base image’s name.

So try to use dfimage from alpine https://github.com/alpine-docker/dfimage

Remember to use // for a windows pc! https://stackoverflow.com/a/41005007/428944

alias dfimage="docker run -v //var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"

dfimage 383530046460.dkr.ecr.us-east-1.amazonaws.com/bundles:baas-dashboard-cb36c0e

This recovers the dockerfile! But it doesn’t tell me the base image.

At this point I gave up and just hardcoded a new working image and got the project to work this way.