0
votes

for couple of days I am facing an issue with pushing image from jenkins to ECR and restart service.

My Jenkins instance is hosted on EC2 instance via ECS. (it's built as docker image too).

What I want to do is to build image, login to ECR, push image there and restart service. Login to ECR is problematic:

  1. when I do "unset AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" the "aws ecr get-login --region us-east-1" command is success but push image is stopped by "no basic auth credentials".
  2. when I do not invoke "unset AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" I can't even login to ECR.

I did a lot of googling and analysis but I can not find any answer. Any ideas what may cause the problem? Is it IAM setting or ecs-agent stuff?

Policy used to run jenkins task:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "ecr:GetAuthorizationToken"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "GetAuthorizationToken"
    },
    {
        "Action": [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage",
            "ecr:InitiateLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:CompleteLayerUpload"
        ],
        "Resource": [
            "arn:aws:ecr:*:*:repository/salesiq*",
            "arn:aws:ecr:*:*:repository/comhub*",
            "arn:aws:ecr:*:*:repository/ssrt*",
            "arn:aws:ecr:*:*:repository/reveal*",
            "arn:aws:ecr:*:*:repository/se-*"
        ],
        "Effect": "Allow",
        "Sid": "EcrManagement"
    },
    {
        "Condition": {
            "ArnLike": {
                "ecs:cluster": [
                    "arn:aws:ecs:*:*:cluster/salesiq*",
                    "arn:aws:ecs:*:*:cluster/comhub*",
                    "arn:aws:ecs:*:*:cluster/ssrt*",
                    "arn:aws:ecs:*:*:cluster/reveal*",
                    "arn:aws:ecs:*:*:cluster/se-*"
                ]
            }
        },
        "Action": [
            "ecs:RunTask",
            "ecs:StartTask",
            "ecs:StopTask",
            "ecs:DescribeClusters",
            "ecs:DescribeServices",
            "ecs:ListClusters",
            "ecs:DescribeContainerInstances",
            "ecs:StopTask"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "EcsManagement"
    },
    {
        "Action": [
            "ecs:List*",
            "ecs:Describe*",
            "ecr:Describe*",
            "ecr:Get*",
            "ecr:Describe*",
            "ecr:List*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "cloudwatch:Describe*",
            "ecs:UpdateService"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "EcsListing"
    }
]

}

1
Does your build docker container has IAM permissions to use ECR ? Here are a couple of ECR policy example : docs.aws.amazon.com/AmazonECR/latest/userguide/…Sébastien Stormacq
yes, those are all policies attached to role assigned as "Task role" to jenkins container. awsiam-sauce awsiam-sauce-the-sequel cloudwatch-logging dynamodb-access ecr-ecs-policy lambda-access s3-access sns-access sqs-accessMarcin Okoń
Would be interesting to double check the policies under ecr-ecs-lambda from the list aboveSébastien Stormacq

1 Answers

0
votes

I think what you might be missing is the command docker login command itself. Which is not mentioned in your question. So you need the following;

    aws ecr get-login --region region --no-include-email

and then you want to execute the output of the above command;

    docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com

Alternatively you can run;

    $(aws ecr get-login --no-include-email --region eu-west-1)

and then

    docker push $ecr_repo:latest

Sample of bash scripts I am running in my pipeline;

    #!/bin/bash
    set -ex

    # $branch: current git branch
    # $commit: hash of the current git commit
    # $ecr_repo: Self explanatory

    $(aws ecr get-login --no-include-email --region eu-west-1)
    docker pull $ecr_repo:latest
    docker build --cache-from $ecr_repo:latest -t image_name .
    docker tag image_name:latest $ecr_repo:$commit
    if [ "$branch" = "master" ]; then
      docker tag image_name:latest $ecr_repo:latest
      docker push $ecr_repo:latest
    fi
    docker push $ecr_repo:$commit