This blog will help you to integrate Jenkins with ECR efficiently and secure way. So for that, we need an AWS account, ECR(Elastic Container Repository ), Jenkins, and IAM Role.
Following are ways to push and pull a docker image from ECR in Jenkins
- AWS CLI
- AWS ROLE
- AWS ECR Plugin
Problem Statement:
So when we using AWS CLI or AWS Role we used to run the below command to login into the ECR repo.
aws ecr get-loginThis will generate a token using AWS role or Credentials which valid for 12 hours. After 12 hours again we have to execute the same for authentication.
Solution:
To solve this issue we will leverage Amazon-Ecr-Credential-Helper. Which helps us to authentication with ECR automatically. No need to generate tokens again and add more code in your Jenkins pipeline to authenticate with ECR.
Implementation:
So first we need to create an AWS IAM Role to access ECR from Jenkins.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}Now we need to install amazon-ecr-credential-helper. To install this we have to use below steps
1: Clone amazone-ecr-credential-helper utility
git clone https://github.com/awslabs/amazon-ecr-credential-helper.gitcd amazon-ecr-credential-helper/make docker
This will spin up a go container which compiles the code and generates a binary
mkdir -p bin
docker run --rm \
-e TARGET_GOOS= \
-e TARGET_GOARCH= \
-v '/root/amazon-ecr-credential-helper/bin':/go/src/github.com/awslabs/amazon-ecr-credential-helper/bin \
sha256:f40028122007c4597897a7950d160497ee9963827ac218cc9e37176a21f65b25
./scripts/build_binary.sh ./bin/local 0.5.0 c5b4d8f
go: downloading github.com/aws/aws-sdk-go v1.38.44
go: downloading github.com/docker/docker-credential-helpers v0.6.3
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/pkg/errors v0.9.1
go: extracting github.com/pkg/errors v0.9.1
go: extracting github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/sirupsen/logrus v1.4.2
go: extracting github.com/sirupsen/logrus v1.4.2
go: downloading golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
go: extracting github.com/docker/docker-credential-helpers v0.6.3
go: extracting golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
go: extracting github.com/aws/aws-sdk-go v1.38.44
go: downloading github.com/jmespath/go-jmespath v0.4.0
go: extracting github.com/jmespath/go-jmespath v0.4.0
go: finding github.com/docker/docker-credential-helpers v0.6.3
go: finding github.com/mitchellh/go-homedir v1.1.0
go: finding github.com/aws/aws-sdk-go v1.38.44
go: finding github.com/sirupsen/logrus v1.4.2
go: finding golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f
go: finding github.com/jmespath/go-jmespath v0.4.0
go: finding github.com/pkg/errors v0.9.1
Built ecr-login
[root@ip-10-0-0-216 amazon-ecr-credential-helper]# cd bin/local/
[root@ip-10-0-0-216 local]# ls
docker-credential-ecr-login2: Move binary to one of the directories in $PATH like /usr/bin
3: Create a configuration file in Jenkins home directory like below
vim /var/lib/jenkins/.docker/config.json.add below content is the config file
{
"credsStore": "ecr-login"
}Once you are done with the above steps, no need to do docker login while pushing/pulling the image from ECR. docker-credential-ecr-login will call ECR endpoints to get the credentials.
docker push ${AWS_ECR_REPO}/${REPO_NAME}:${currentBuild.number}docker pull ${AWS_ECR_REPO}/${REPO_NAME}:${currentBuild.number}
TL;DR
Create an AWS Role that accesses ECR. Build docker-credential-ecr-login binary. Place a config.json file into the Jenkins home directory.
