Given the setup of:
In order to deploy my application, the Elastic Beanstalk single container guide says to make a Dockerrun.aws.json file.
The Elastic Beanstalk guide also says that to use images from (any) private repository, there needs to be a credentials file (with authentication token and email address) added to an S3 bucket.
Authentication to the EC2 Container Registry involves querying for a token that the docker login command can use, but it's only valid for 12 hours.
So, in theory, I can follow the Elastic Beanstalk guide, and use the aws ecr get-login, docker login ... command to get Docker to create the config file I need, convert that to a .dockercfg file and put it on S3.
If I then upload my Dockerrun.aws.json file as a new application version to Elastic Beanstalk, I can deploy it right then, if 12 hours haven't elapsed.
My concern is what happens after those 12 hours? If Elastic Beanstalk needs to auto-scale my application and spin up more instances, if it tries to use that S3-stored credential it will fail. Or if I realize I need to roll back to a previous version of my application, I can't just do that through the Elastic Beanstalk list of past application versions; I need to be on a machine with the AWS CLI installed and do the aws ecr get-login, docker login ..., upload to S3 dance again?
Is there a less fragile way to set up the authentication between Elastic Beanstalk and the EC2 Container Registry such that the 12-hour timeout isn't an issue?
Just inlining the relevant ECR FAQ answer here (added emphasis):
All you need to do is specify the Amazon ECR repository in your Dockerrun.aws.json configuration and attach the AmazonEC2ContainerRegistryReadOnly policy to your container instance role.