Docker – Integrate Amazon Elastic Container Registry with Jenkins

amazon-ecramazon-web-servicesdockerJenkins

I'm trying to integrate Amazon's new Elastic Container Registry (ECR) with my Jenkins build service. I'm using the Cloudbees Docker Build & Publish plugin to build container images and publish them to a registry.

To use ECR instead of my private registry, I've ran the AWS CLI command aws --region us-east-1 ecr get-login which spews a docker login command to run – but I just copied out the password and created a Jenkins credentials of type "Username with password" from that password (the username is always "AWS").

And that works fine! The problem is that the ECR password generates by the AWS CLI is only valid for 12 hours. So right now, I have to manually regenerate the password twice a day and update the Jenkins credentials screen manually, otherwise my builds start failing.

Is there a way to generate permanent ECR login tokens, or somehow automate the token generation?

Best Answer

This is now possible using amazon-ecr-credential-helper as described in https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/.

The short of it is:

  • Ensure that your Jenkins instance has the proper AWS credentials to pull/push with your ECR repository. These can be in the form of environment variables, a shared credential file, or an instance profile.
  • Place docker-credential-ecr-login binary at one of directories in $PATH.
  • Write the Docker configuration file under the home directory of the Jenkins user, for example, /var/lib/jenkins/.docker/config.json. with the content {"credsStore": "ecr-login"}
  • Install the Docker Build and Publish plugin and make sure that the jenkins user can contact the Docker daemon.
  • Finally, create a project with a build step that publishes the docker image
Related Topic