I’m trying to use ECR as a Docker build cache backend instead of S3 to cut costs. My images are in ECR and deployed to ECS. I’ve set up the buildx command with cache-to and cache-from options pointing to ECR. The first build works fine, creating a new ECR repo. But the second run fails with a 400 Bad Request error when trying to write the manifest blob.
Here’s a simplified version of my build command:
docker buildx build --push \
--cache-to type=registry,ref=myecr.dkr.ecr.region.amazonaws.com/cache:${APP}-${ENV} \
--cache-from type=registry,ref=myecr.dkr.ecr.region.amazonaws.com/cache:${APP}-${ENV} \
--tag "${IMAGE_NAME}:${TAG}" .
I’ve set oci-mediatypes and image-manifest to true as per the docs. The cache and images are in separate repos. With S3, I had folders for manifests and blobs, but ECR only shows images with their digest and tag.
What am I missing? How can I get ECR to work as a build cache backend?
Using ECR as a Docker build cache backend is an interesting approach, but it’s not a common use case. ECR is primarily designed for storing and managing container images, not as a generic caching system.
The 400 Bad Request error you’re encountering suggests that ECR isn’t fully compatible with the cache format that buildx is trying to use. ECR expects specific manifest structures for container images, which may not align with the cache data.
Instead of using ECR directly, you might consider exploring alternative caching strategies. One option is to use a dedicated caching layer in your Dockerfile, which can be more efficient and cost-effective. Another approach is to use multi-stage builds to separate your build dependencies from your final image, reducing overall build times.
If cost is your primary concern, you could also look into optimizing your S3 usage or exploring other caching solutions specifically designed for CI/CD pipelines. These might offer better performance and compatibility for your use case.
have u tried using a dedicated cache repo in ECR? might work better than mixing cache and images. also, check ur IAM perms - maybe thats causing the 400 error. could try tweaking the buildx command too, like adding --oci-worker-snapshotter=overlayfs. worth a shot!