To DevOps,
I am running a GitLab pipeline and I want to push a created image to an AWS ECR in an account. How would I give access rights to the GitLab Runner to access the AWS ECR?
Thanks,
Marc
Related
I created a new AWS account for AWS ECS. IN Jenkins I installed AWS ECS plugin and now I want to build and push images into registry.
But I need to create API key and secret in AWS in order to Jenkins to communicate with AWS ECR.
How I have to create in AWS these credentials?
Create an IAM user by following this documentation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
I am attempting to deploy a Cloud Run service from source from a GitLab CI pipeline. I can deploy it manually, with my own credentials, but am struggling to give the right credentials to the CI pipeline to get it to deploy.
These are the commands in my pipeline:
gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
gcloud run deploy api --source=./api/ --region=us-cental1
CLOUD_RUN_CREDENTIALS is a pipeline file variable that contains the key for a service account I have created for this purpose. The service account has the following roles:
Cloud Build Editor role
Artifact Registry Admin role
Storage Admin role
Cloud Run Admin role
Service Account User role
In the Cloud Build settings I have enabled Cloud Run Admin and Service Account User.
When I run this GitLab job, I get the following error:
$ gcloud auth activate-service-account --key-file $CLOUD_RUN_CREDENTIALS
Activated service account credentials for: [XXXXXXXXXXX#XXXXXXXXXX.iam.gserviceaccount.com]
$ gcloud run deploy api --source=./api/ --region=us-cental1
ERROR: Error in retrieving repository from Artifact Registry.
ERROR: (gcloud.run.deploy) INVALID_ARGUMENT: Request contains an invalid argument.
Is this a permissions issue? What permissions do I need to give this service account to allow the deployment to succeed? If not, what am I doing wrong?
If you use the Build from Source feature. The Cloud Build Service Account is the one used to perform certain actions, like pulling and pushing images from Artifact Registry.
You have to grant the Cloud Build Service account (the one called PROJECT_NUMBER#cloudbuild.gserviceaccount.com) the required permissions.
Go to IAM, look for the Cloud Build Service Account and grant it the permissions you listed above. That should solve the issue.
The Service Account used from GitLab doesn't need all these permissions. Cloud Run Admin should be enough
I am currently building Jenkins + ECR CI/CD.
Here's pipeline code.
docker.withRegistry(
'https://ID.ecr.eu-west-1.amazonaws.com',
'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a') {
My Question is How can I get ECR login credential?
The login credential in the above code is 'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a'.
My reference documentation is https://plugins.jenkins.io/amazon-ecr/
Install AWS Pipeline Plugin in Jenkins,
Then you can create an aws credential from Manage Jenkins - Manage credentials
Open a freestyle job. You can find "Credentials" under git or docker. Choose one to click add. The default credential provider is jenkins. Click it and choose "AWS credential". Fill amazon access key ID and access key and submit.
Go to "Manage Jenkins" and then "Manage Credentials". You can find credential id.
Say I use aws-cli locally on my machine, I´d need to authenticate with credentials prior to any operation.
How do AWS services give permission to other services on my behalf? And more specifically, how does a container run aws-cli on my behalf without prior authentication?
I am asking this, after running my first pipeline successfully in codePipeline. My buildspec.yml does run aws s3 sync command flawlessly -which made me then wonder how do aws internally permissions work-.
AWS CodeBuild uses an IAM Service Role to provide AWS permissions to the CodeBuild environment. You should have had to create a service role for your CodeBuild configuration.
When the AWS cli tool runs, and it hasn't been previously configured with API access keys, it will check if it is running in an AWS environment like EC2 or Lambda and if so, it will use the AWS IAM role assigned to that runtime environment.
Is it possible to use a remote ECR Repository as a source in CodePipeline?
I get the following error:
The repository with name '12345.dkr.ecr.eu-central-1.amazonaws.com/ecrrepo' does not exist in the registry with id '67890'
(Account IDs have been intentionally changed)
However the remote repository definitely exists.
Whole picture: I have 2 accounts, dev and test. Now that I have a pipeline built and running in dev account, I would like to do the same deployment in test account, but using the same ECR repository.
Just additional info: I am able to deploy to the ECS cluster of test account manually using the dev account's repository.
CodeBuild definitely supports cross account ECR image access, doesn't CodePipeline?
Any hints for solution or workaround? (I can think of Lambda)
At the moment in CodePipeline source stage when ECR is selected you only have option to provide ECR from the current AWS account.
Workaround would be to have a CodeBuild stage in the pipeline which can retrieve cross account ECR source:
https://aws.amazon.com/blogs/devops/how-to-use-cross-account-ecr-images-in-aws-codebuild-for-your-build-environment/
Your pipeline can still be started by CloudWatch Events when the ECR source changes in the other account:
CW Event Bus: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEvents-CrossAccountEventDelivery.html