containers-roadmap
containers-roadmap copied to clipboard
aws
[Lambda] [request]: ECS-"like" Private Registry Support for Lambda Docker Images
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request Add ECS-"like" Private Registry Auth / Interop support to AWS Lambda Service, for Lambda Functions built, deployed, and run as Docker Images / Containers...
Which service(s) is this request for? Lambda
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
For AWS Lambda Functions Built and Deployed as Docker Images / "Containerized" - seems at current the only supported option for image "hosting" is to push custom Lambda Docker Image build artifact versions in to an AWS ECR registry / repository, and then configure target Lambda Functions to pull those image build artifacts from AWS ECR at runtime.
For companies like my own - we are constrained by corporate standards / policy to push our custom Docker Image build artifacts into our Private JFrog Artifactory Instance and the Repositories we create therein as the last step in our CI / CD pipeline workflow automation. This means ALL custom Docker Images we build MUST exist in our Private JFA Instance, regardless of their respective use cases - always...
The AWS ECS Service currently supports Private Registry Auth / Interop - for Images hosted externally to AWS:
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html
This supported functionality has been a VERY nice option for us, allowing us to reference and obtain at runtime our custom Docker Image build artifact versions from one central location (our Private JFA) - and eliminating the need for duplication of those image build artifacts (by pushing to and hosting from BOTH our Private JFA AND AWS ECR) - saving us the additional storage, hosting, usage costs, etc. whilst reducing CI / CD pipeline workflow automation complexity / dependencies, and eliminating any possibility of disparity between image artifacts stored in multiple locations...
I know in our case it would be VERY nice to have the same Private Registry support in the case of "Dockerized" Lambda functions, allowing us to push custom Lambda Docker Image build artifact versions in to our Private JFA registry / repository (they would have to be pushed here anyway, per corp. policy...), and then configure target Lambda Functions to pull those image build artifacts from our Private JFA at runtime.
At current, while evaluating whether a new Lambda Function that I required to build for integration with a larger Terraform deployment task - the requirement for use of and explicit dependency on AWS ECR ultimately made the final decision for me to go the traditional file-based "lambda_payload" route.
If this Private Registry Auth feature were available for AWS Lambda - We would definitely begin adopting the "Lambda as Docker" development and deployment strategy to take advantage of the additional features and benefits it provides, whilst simultaneously aligning our Lambda Function development and deployment operations more closely with how we handle our larger CI / CD pipeline workflows...
I am willing to bet there are lots of other customers who would benefit from this very same feature, and it would be yet another incentive to migrate to (or start from) the new "containerized" Lambda Functions for anyone...
Cheers,
Chris Bishop
Are you currently working around this issue? Not "working around" per se, rather choosing NOT to migrate to / adopt other recently released features and functionality - opting for Building, Deploying, Running Lambda Functions "the old fashioned way"...
We're running in to the same problem; even pulling public OCI images from GitHub Packages or DockerHub doesn't work.
We are running into the same problem. We would love to have support for private registry. Company: Dun & Bradstreet
A consideration against this feature could be increased invocation time, as the image pull time may take longer. This is just a theory.
JFA support here as mentioned by OP, would be very useful to us as well.
+1 for Jfrog Artifactory
Private endpoint as well
Enviado do meu iPhone
Em 21 de mai. de 2022, à(s) 12:22, kaushikborkar @.***> escreveu:
+1 for JFrog Artifactory
— Reply to this email directly, view it on GitHubhttps://github.com/aws/containers-roadmap/issues/1217#issuecomment-1133651794, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACSGC4JM6B5R4B7LQTAMGSTVLD5TJANCNFSM4V3XLRXQ. You are receiving this because you commented.Message ID: @.***>
Agree, we'd need private image repository support like ECS has to be able to use containers with Lambda. Same problem exists in Batch. We'll stick with ECS until Lambda has this needed container support. Company: The Hartford
This feature is in high demand, Can we please take some next steps here
Interesting this thread started in Jan 2021 and we still do not have this feature available. Did anyone take this up with their AWS partner yet? Do we know if this could or could not be done?
We too would love to pass image_uri from private registry like JFrog Artifactory or the likes.
We would find this feature very helpful, hope it can be worked on and released soon
This issue has been open for over 2 years. Any update on timeline when this may be available?
This would absolutely be a way to reduce the obstacles to using serverless in a compliance oriented environment. Even if AWS cost was the same as using ECR and AWS used ECR behind the scenes for caching, the streamlining of internal processes would make using Lambda far easier from a compliance perspective. It is amazing how difficult it can be to simply mirror images from private repos to cloud repos.
Same here with Harbor, but AWS is not willing to let a few bucks go I am afraid.
