access ecr images from within jenkins docker ecs container

Question

Hello Jenkins / Docker experts -

Stuff that is working:

Using the approach suggested here, I was able to get Jenkins docker image running in an AWS ECS cluster. Using -v volume mounts for docker socket (/var/run/docker.sock) and docker (/usr/bin/docker) I am able to access the docker process from inside Jenkins container as well.

Stuff that isn't:

The last problem I am facing is pulling / pushing images to and from AWS ECR Registry. When I try to execute docker pull / push commands, I am ending up with - no basic auth credentials.

I stumbled up on this link explaining my problem. But, I am unable to use the solutions suggested here as there is no ~/.docker/config.json in the host machine to share with Jenkins docker container.

Any suggestions?

Answer 1

Amazon ECR users require permissions to call ecr:GetAuthorizationToken before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed policies to control user access at varying levels; for more information, see ecr_managed_policies

AmazonEC2ContainerRegistryPowerUser

This managed policy allows power user access to Amazon ECR, which allows read and write access to repositories, but does not allow users to delete repositories or change the policy documents applied to them.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "ecr:GetAuthorizationToken",
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetRepositoryPolicy",
            "ecr:DescribeRepositories",
            "ecr:ListImages",
            "ecr:DescribeImages",
            "ecr:BatchGetImage",
            "ecr:InitiateLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:CompleteLayerUpload",
            "ecr:PutImage"
        ],
        "Resource": "*"
    }]
}

So, instead of using ~/.docker/config.json this, assign the above policy role to your ECS Task and your docker container service will be able to push pull image from ECR.

IAM Roles for Tasks

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task definition or RunTask API operation. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services.

Benefits of Using IAM Roles for Tasks

Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.

Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.

Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.

But you have to run this command as mentioned above to get Auth token.

eval $(aws ecr get-login --no-include-email)

You will get response like

Login Succeeded

Now you push pull image once you obtain the auth token from ECR.

docker push xxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/nodejs:test

Automate ECR login