Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Push to ECR from Jenkins pipeline

I have Jenkins server on-preminse. I have Jenkins file which create Docker image now i want to push that image to AWS ECR.Do i have to create a special IAM user and provide its access and secret access keys ? Or what will be the best way to do this.

I found below on internet

  withAWS(role:'Jenkins', roleAccount:'XXXX216610',duration: 900, roleSessionName: 'jenkinssession')
  sh ' eval \$(aws ecr get-login --no-include-email --region us-east-2) '

But as my jenkins server is onprem how role will work ?

like image 800
AWS_Lernar Avatar asked Nov 28 '19 08:11

AWS_Lernar


People also ask

How does Jenkins integrate with ECR?

Navigate to the "Plugin Manager" screen, install the "Amazon ECR" plugin and restart Jenkins. The plugin will use the proxy configured on Jenkins if it is set.

What is ECR push?

You can push your container images to an Amazon ECR repository with the docker push command. Amazon ECR also supports creating and pushing Docker manifest lists, which are used for multi-architecture images. Each image referenced in a manifest list must already be pushed to your repository.

How to push a demo image to Amazon's ECR using Jenkins?

docker.image ('demo').push ('latest') - grabs the demo image, tags it as latest and pushes it to the registry After running the Jenkins job, you should now have an image that's been pushed to Amazon's ECR. Since you're using the Pipeline plugin, the build occurs in multiple stages with each stage doing one thing.

How to build Docker image from ECR using Jenkins?

This pipeline login to ECR and build docker image from Dockerfile in my git repo and pushed to my ECR nginx registry. you must install docker and awscli on Jenkins instance. Give docker access to jenkins user by adding jenkins user into docker group.

How to integrate Jenkins with ECR Nginx?

You can get a sample Jenkinsfile from my gist. This pipeline login to ECR and build docker image from Dockerfile in my git repo and pushed to my ECR nginx registry. you must install docker and awscli on Jenkins instance. Give docker access to jenkins user by adding jenkins user into docker group.

How to install AWS ECR services in Jenkins?

Step 1: Go to Jenkins dashboard, and then to Plugin Manager. Step 2: Here, click on the Available tab and search for the following plugins Now, after these are selected, click on the Install without restart button. Now head back to the AWS dashboard and find the ECR services.


3 Answers

Instead of eval, you now can use the Jenkins ‘amazon-ecr’ plugin from https://plugins.jenkins.io/amazon-ecr/ for ECR deployments.

pipeline {
  environment {
    registry = '1111111111111.dkr.ecr.eu-central-1.amazonaws.com/myRepo'
    registryCredential = 'ID_OF_MY_AWS_JENKINS_CREDENTIAL'
    dockerImage = ''
  }
  agent any
  stages {
    stage('Building image') {
      steps{
        script {
          dockerImage = docker.build registry + ":$BUILD_NUMBER"
        }
      }
    }
    stage('Deploy image') {
        steps{
            script{
                docker.withRegistry("https://" + registry, "ecr:eu-central-1:" + registryCredential) {
                    dockerImage.push()
                }
            }
        }
    }
  }
}
like image 120
Jonas_Hess Avatar answered Oct 29 '22 15:10

Jonas_Hess


Do i have to create a special IAM user and provide its access and secret access keys ? Or what will be the best way to do this.

If you are running Jenkins inside your AWS and you using the secret key and access key you are violating best practice. You should never use the access key and secret key inside AWS VPC. These are designed to interact with AWS from outside of AWS account.

You should create an IAM role which has specific role and that role allow Jenkins only to push the image to ECR.

As far your current command, eval \$(aws ecr get-login --no-include-email --region us-east-2) you will always need this token to push/pull the image to ECR, this token has some expiry, you should read about this approach below. But it seems okay with IAM role.

ECR_AWSCLI-get-login-token

Also you can explore Amazon+ECR-plugin

About

Amazon ECR plugin implements a Docker Token producer to convert Amazon credentials to Jenkins’ API used by (mostly) all Docker-related plugins. Thank's to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for sample using CloudBees Docker Build and Publish plugin:

like image 41
Adiii Avatar answered Oct 29 '22 16:10

Adiii


It's possible, but very subtle to debug, so make sure you follow the steps below.

  1. Use dockerfile agent in jenkins pipeline (You can name it Dockerfile.jenkins or something else you prefer) and install amazon ecr credential helper in it to get a clean and stable building environment.
FROM ubuntu:rolling

RUN apt-get update && apt-get install -y amazon-ecr-credential-helper
  1. Create a config.json file in your git repo, like .docker/config.json.
{
    "credHelpers": {
        "[YOUR_ACCOUNT_ID].dkr.ecr.[YOUR_REGION].amazonaws.com": "ecr-login"
    }
}
  1. Test docker pull in your Jenkinsfile, make sure your access key's user is enabled with the right policy (probably AmazonEC2ContainerRegistryFullAccess).
pipeline {
    agent {
        dockerfile {
            filename 'Dockerfile.jenkins'
        }
    }
    stages {
        stage('TEST ECR') {
            steps {
                script { 
                    sh "DOCKER_CONFIG=.docker AWS_ACCESS_KEY_ID=[YOUR_ACCESS_KEY_ID] AWS_SECRET_ACCESS_KEY=[YOUR_SECRET_KEY] docker pull [YOUR PRIVATE IMAGE]"

                    // docker.build("${tag}", "${DOCKER_BUILD_ARGS} -f Dockerfile .")
                    // sh "docker push ${tag}"
                }
            }
        }
    }
}

If it's okay to pull, then you can just change DOCKER_CONFIG=.docker AWS_ACCESS_KEY_ID=[YOUR_ACCESS_KEY_ID] AWS_SECRET_ACCESS_KEY=[YOUR_SECRET_KEY] docker pull [YOUR PRIVATE IMAGE] to docker push [YOUR IMAGE] under correct environment variable settings.

Your repo would seem:

.
├── .docker
│   └── config.json
├── Dockerfile
└── Dockerfile.jenkins
like image 32
kigawas Avatar answered Oct 29 '22 17:10

kigawas



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!