Containers-roadmap: ECR [request]: expose image labels in DescribeImages response

Created on 28 Feb 2019  路  10Comments  路  Source: aws/containers-roadmap

Hi!

Tell us about your request
I would like image labels to be exposed over the DescribeImages API. Docker labels are the only way to add immutable metadata to an image, having a way to view that data without pulling the image down would be really useful!

Which service(s) is this request for?
ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
We'd like to add metadata about a particular docker image to the image itself. Info such as: git hash, date built, repository, branch, etc; and then be able to lookup that data remotely using the ECR API.

This data is useful for working backwards from a container running in ECS, to the exact source that it was built from. Tags can serve a similar purpose but they're mutable and not connected directly to the image itself.

Thank you!

ECR Proposed
Source
picture alexrudd
👍31

Most helpful comment

One liner to return labels :

aws ecr batch-get-image --repository-name --image-id imageTag= --accepted-media-types "application/vnd.docker.distribution.manifest.v1+json" --output json |jq -r '.images[].imageManifest' |jq -r '.history[0].v1Compatibility' |jq -r '.config.Labels'

picture tomwillfixit on 3 Dec 2019
👍8

All 10 comments

We are also starting to go down this path, and need access to the docker labels without having to pull the image from ECR. OCI is also now publishing a standard for the labels here - https://github.com/opencontainers/image-spec/blob/master/annotations.md Obviously there can be more than their own, it just would be nice to see these in the interface and the API.

lloydpick picture lloydpick on 18 Mar 2019
👍1

We are using OCI labelling throughout the CI/CD pipeline and being able to query these labels using awscli or through the ECR API would be incredibly useful. Is there any type of workaround to access the labels without pulling the entire image? Thanks :)

tomwillfixit picture tomwillfixit on 30 Oct 2019

You can access the manifest of an image stored in ECR without pulling the entire image today. The manifest can be retrieved through the BatchGetImage API, and you can then parse the manifest to find annotations that are stored there. While this isn't the friendliest way to get at the annotations, it might be a reasonable work-around for you if you already know which image(s) you want to examine.

samuelkarp picture samuelkarp on 31 Oct 2019

Thanks Samuel. That is useful to know. I was able to get the manifest but the labels which I see when running docker inspect against an image are not in the manifest. For example I'm looking to get at these labels :

"Labels": {
"com..image.created": "Wed 30 Oct 2019 17:11:16 GMT",
"com.image.maintainer": "tom",
"com.image.revision": "123456",
"com.image.source": "blah",
"com.image.title": "blah v2.0.1"
}

tomwillfixit picture tomwillfixit on 31 Oct 2019

@tomwillfixit try to pass "application/vnd.docker.distribution.manifest.v1+json" in acceptedMediaTypes parameter in BatchGetImage. Labels should be in "history" array in the response.

TheTweak picture TheTweak on 3 Dec 2019
👍2

Thank you. This works.

aws ecr batch-get-image --repository-name --image-id imageTag= --accepted-media-types "application/vnd.docker.distribution.manifest.v1+json" --output text

tomwillfixit picture tomwillfixit on 3 Dec 2019
👍2

One liner to return labels :

aws ecr batch-get-image --repository-name --image-id imageTag= --accepted-media-types "application/vnd.docker.distribution.manifest.v1+json" --output json |jq -r '.images[].imageManifest' |jq -r '.history[0].v1Compatibility' |jq -r '.config.Labels'

tomwillfixit picture tomwillfixit on 3 Dec 2019
👍8

Thanks this works great! Added the to the command and the PowerShell version

aws ecr batch-get-image --repository-name <repo_name> --image-id imageTag=<tag_name> --accepted-media-types "application/vnd.docker.distribution.manifest.v1+json" --output json |jq -r '.images[].imageManifest' |jq -r '.history[0].v1Compatibility' |jq -r '.config.Labels'

(((aws ecr batch-get-image --repository-name <repo_name> --image-id imageTag=<tag_name> --accepted-media-types "application/vnd.docker.distribution.manifest.v1+json" --output json | convertFrom-Json -ov a).images.imageManifest | ConvertFrom-Json).history.v1Compatibility | convertFrom-Json).Config.Labels

Dejulia489 picture Dejulia489 on 24 Jul 2020
👍2

It does work with --image-id imageTag=.
But does not work if I pass --image-id imageDigest= instead of the imageTag.
aws ecr batch-get-image --repository-name --image-id imageDigest= --accepted-media-types "application/vnd.docker.distribution.manifest.v1+json" --output json |jq -r '.images[].imageManifest' |jq -r '.history[0].v1Compatibility' |jq -r '.config.Labels'

CONJAUMCGCG picture CONJAUMCGCG on 11 Sep 2020

Any idea why this command works with tags but does not return the same information when we pass in the image digest? Is there an active open issue where this is being tracked?

priyendra picture priyendra on 24 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tabern picture tabern  路  3Comments
yinshiua picture yinshiua  路  3Comments
abby-fuller picture abby-fuller  路  3Comments
inductor picture inductor  路  3Comments
sarath9985 picture sarath9985  路  3Comments