AWSTemplateFormatVersion: "2010-09-09" Parameters: Username: Description: Username to use with authenticating to container registry Type: String NoEcho: true Password: Description: Password or access token to use with authenticating to container registry Type: String NoEcho: true RegistryUrl: Description: The container registry containing private images to be pulled Type: String Default: https://index.docker.io/v1/ SubnetIDs: Description: Subnet IDs used by Batch compute environment Type: "List" SecurityGroupIDs: Description: Security Group IDs used by Batch compute environment Type: "List" Resources: BatchDemoLaunchTemplate: Type: AWS::EC2::LaunchTemplate Properties: LaunchTemplateName: !Sub 'batch-private-registries-blog-${AWS::StackName}' LaunchTemplateData: UserData: Fn::Base64: !Sub | MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="==MYBOUNDARY==" --==MYBOUNDARY== Content-Type: text/cloud-config; charset="us-ascii" packages: - jq - aws-cli runcmd: - /usr/bin/aws configure set region $(curl http://169.254.169.254/latest/meta-data/placement/region) - export SECRET_STRING=$(/usr/bin/aws secretsmanager get-secret-value --secret-id ${BatchDemoSecret} | jq -r '.SecretString') - export USERNAME=$(echo $SECRET_STRING | jq -r '.username') - export PASSWORD=$(echo $SECRET_STRING | jq -r '.password') - export REGISTRY_URL=$(echo $SECRET_STRING | jq -r '.registry_url') - echo $PASSWORD | docker login --username $USERNAME --password-stdin $REGISTRY_URL - export AUTH=$(cat ~/.docker/config.json | jq -c .auths) - echo 'ECS_ENGINE_AUTH_TYPE=dockercfg' >> /etc/ecs/ecs.config - echo "ECS_ENGINE_AUTH_DATA=$AUTH" >> /etc/ecs/ecs.config --==MYBOUNDARY==-- BatchDemoSecret: Type: 'AWS::SecretsManager::Secret' Properties: Name: !Sub 'batchPrivateRegistriesBlog${AWS::StackName}' Description: Secret used to store users username and password for Batch private image demo SecretString: !Sub '{"username":"${Username}","password":"${Password}","registry_url":"${RegistryUrl}"}' Tags: - Key: Name Value: BatchDemoSecret BatchServiceRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub 'batch-private-registries-blog-service-${AWS::StackName}' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - batch.amazonaws.com Action: - 'sts:AssumeRole' Path: / BatchComputeRole: Type: 'AWS::IAM::Role' Properties: RoleName: !Sub 'batch-private-registries-blog-ce-${AWS::StackName}' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: AllowSecretsManager PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: 'secretsmanager:GetSecretValue' Resource: Ref: BatchDemoSecret BatchComputeInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Path: "/" Roles: - Ref: BatchComputeRole ComputeEnvironment: Type: AWS::Batch::ComputeEnvironment Properties: ComputeEnvironmentName: !Sub 'batch-private-registries-blog-${AWS::StackName}' Type: MANAGED ServiceRole: Ref: BatchServiceRole ComputeResources: MaxvCpus: 5 SecurityGroupIds: Ref: SecurityGroupIDs Type: EC2 LaunchTemplate: LaunchTemplateId: Ref: BatchDemoLaunchTemplate Subnets: Ref: SubnetIDs MinvCpus: 0 InstanceRole: Ref: BatchComputeInstanceProfile InstanceTypes: - c5.large - c5.xlarge Tags: {"Name" : "Batch demo private docker CE"} DesiredvCpus: 2 State: ENABLED JobQueue: Type: AWS::Batch::JobQueue Properties: JobQueueName: !Sub 'batch_private_registries_blog_${AWS::StackName}' ComputeEnvironmentOrder: - Order: 1 ComputeEnvironment: Ref: ComputeEnvironment State: ENABLED Priority: 1 Tags: {"Name" : "Batch demo private docker queue"}