Efficient and Secure Integration of Jeninks with ECR

This blog will help you to integrate Jenkins with ECR efficiently and secure way. So for that, we need an AWS account, ECR(Elastic Container Repository ), Jenkins, and IAM Role.

Following are ways to push and pull a docker image from ECR in Jenkins

  • AWS CLI
  • AWS ROLE
  • AWS ECR Plugin

Problem Statement:
So when we using AWS CLI or AWS Role we used to run the below command to login into the ECR repo.

This will generate a token using AWS role or Credentials which valid for 12 hours. After 12 hours again we have to execute the same for authentication.

Solution:
To solve this issue we will leverage Amazon-Ecr-Credential-Helper. Which helps us to authentication with ECR automatically. No need to generate tokens again and add more code in your Jenkins pipeline to authenticate with ECR.

Implementation:
So first we need to create an AWS IAM Role to access ECR from Jenkins.

Now we need to install amazon-ecr-credential-helper. To install this we have to use below steps

1: Clone amazone-ecr-credential-helper utility

This will spin up a go container which compiles the code and generates a binary

2: Move binary to one of the directories in $PATH like /usr/bin

3: Create a configuration file in Jenkins home directory like below

add below content is the config file

Once you are done with the above steps, no need to do docker login while pushing/pulling the image from ECR. docker-credential-ecr-login will call ECR endpoints to get the credentials.

TL;DR

Create an AWS Role that accesses ECR. Build docker-credential-ecr-login binary. Place a config.json file into the Jenkins home directory.

DevOps Engineer with 10+ years of experience in the IT Industry. In-depth experience in building highly complex, scalable, secure and distributed systems.