Jenkins pipeline Docker agent from AWS ECR

Question

I need to execute Jenkins pipeline in Docker as an agent,

Docker image is located in AWS ECR,

How can I auth over AWS ECR to pull image for agent?

Answer 1

agent {
  docker {
    alwaysPull true
    image '<aws-account-Id>.dkr.ecr.us-west-2.amazonaws.com/<ecr-repo>:<tag>'
    registryUrl 'https://<aws-account-Id>.dkr.ecr.us-west-2.amazonaws.com'
    registryCredentialsId 'ecr:us-west-2:<Jenkins Credential ID>'
  }
}

To use image from AWS ECR repo as agent in jenkins first you need to Add Credentials of Kind AWS Credentials. Now just use above code to in agent block in your pipeline code. Make sure to replace

1. <aws-account> with AWS Account Id.

2. <ecr-repo> with the ECR repo name

3. <tag> with ECR image tag you want to use.

4. <Jenkins Credential ID> with Jenkins credentials Id you got when you save the credentials in Jenkins.

5. us-west-2 replace with your ecr repo region

You can use https://<jenkins.url>/directive-generator/ to get this code generated for you.

Answer 2

You can try this:

    agent { 
        docker { 
            label "buildDockerNode"
            image "nodejs10-test-v1"
            alwaysPull true
            registryUrl "*aws_account_id*.dkr.ecr.us-west-2.amazonaws.com/*project*"
            registryCredentialsId "ecr:us-west-2:*cred_id*"
        }
    }

Answer 3

According to this page https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/ something like the following should work:

sh """#!/bin/bash
      docker login -u=${USER} -p=${PASS} https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com
"""

Answer 4

Means you need to Authorization token before pulling the image from ECR it's mean you also need to install AWS-CLI on Jenkins server. The best way is to assign role and run the below command in your pipeline to get authorization token, if it is complicated then use ECR plugin below.

Before it can push and pull images Docker client must authenticate to Amazon ECR registries as an AWS user. The AWS CLI get-login command provides you with authentication credentials to pass to Docker. For more information, see Registry Authentication. use JENKINS/Amazon+ECR

Note: For create token automatically based on AWS registery or you can run in jenkins file this command before pull

$(aws ecr get-login --no-include-email --region us-west-2)

And for go need to execute Jenkins pipeline in Docker as an agent Prefer this link.