Download an AWS ECR image using Skopeo instead of Docker (e.g. running within a container)

get-image.sh

#!/usr/bin/env bash

set -eu
# set -o pipefile

docker_version=${REPO_TAG}
docker_image=${REPO_IMAGE}
# docker_creds=$(aws ecr get-authorization-token --output json |jq -r '.authorizationData[].authorizationToken' |base64 -d)
docker_creds="AWS:$(aws ecr get-login-password)"

docker_base=temp
docker_inspect=${docker_base}.inspect.json
docker_exported=${docker_base}.tgz

skopeo inspect --creds "${docker_creds}" docker://"${docker_image}:${docker_version}" |tee "${docker_inspect}"

## Download the image from ECR
## NOTE: "--additional-tag" is needed because Skopeo won't also import tags from the source image
##         (https://github.com/containers/skopeo/issues/472)
##       Since it's a valid Docker archive, "docker load -i ${FILE}" will import it untagged, which will appear
##         as "<none>" when viewing the images in your local registry.
##       Remove these if you don't care about it (e.g. using the below "skopeo copy").
skopeo copy \
       --src-creds "${docker_creds}" \
       --additional-tag "${docker_image}:${docker_version}" --additional-tag "${docker_image}:latest" \
       docker://"${docker_image}:${docker_version}" docker-archive:"${docker_exported}"

## Copy into the local dockerd
## NOTE: This won't apply any tags embedded in the archive, but will tag it as "opa-stuff:latest"
# skopeo copy docker-archive:temp.tgz"${docker_exported}" docker-daemon:opa-stuff:latest