Push to ECR from Jenkins pipeline

AWS_Lernar picture AWS_Lernar · Nov 28, 2019 · Viewed 10.2k times · Source

I have Jenkins server on-preminse. I have Jenkins file which create Docker image now i want to push that image to AWS ECR.Do i have to create a special IAM user and provide its access and secret access keys ? Or what will be the best way to do this.

I found below on internet

  withAWS(role:'Jenkins', roleAccount:'XXXX216610',duration: 900, roleSessionName: 'jenkinssession')
  sh ' eval \$(aws ecr get-login --no-include-email --region us-east-2) '

But as my jenkins server is onprem how role will work ?

Answer

Adiii picture Adiii · Nov 28, 2019

Do i have to create a special IAM user and provide its access and secret access keys ? Or what will be the best way to do this.

If you are running Jenkins inside your AWS and you using the secret key and access key you are violating best practice. You should never use the access key and secret key inside AWS VPC. These are designed to interact with AWS from outside of AWS account.

You should create an IAM role which has specific role and that role allow Jenkins only to push the image to ECR.

As far your current command, eval \$(aws ecr get-login --no-include-email --region us-east-2) you will always need this token to push/pull the image to ECR, this token has some expiry, you should read about this approach below. But it seems okay with IAM role.

ECR_AWSCLI-get-login-token

Also you can explore Amazon+ECR-plugin

About

Amazon ECR plugin implements a Docker Token producer to convert Amazon credentials to Jenkins’ API used by (mostly) all Docker-related plugins. Thank's to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for sample using CloudBees Docker Build and Publish plugin: