Amazon ECR

Jenkins Plugin GitHub release Jenkins Plugin Installs Build Status GitHub license Maintenance

This plugin offers integration with Amazon Container Registry (ECR) as a DockerRegistryToken source to convert Amazon Credentials into a Docker CLI Authentication Token.

About

Amazon ECR plugin implements a Docker Token producer to convert Amazon credentials to Jenkins’ API used by (mostly) all Docker-related plugins.

Thanks to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for example using the Docker Build and Publish plugin:

Installation

Navigate to the "Plugin Manager" screen, install the "Amazon ECR" plugin and restart Jenkins.

The plugin will use the proxy configured on Jenkins if it is set.

Recommended logger for troubleshooting, you have to take care where you publish these logs could contain sensitive information

  • com.cloudbees.jenkins.plugins.amazonecr
  • com.amazonaws
  • org.apache.http.wire
  • org.jenkinsci.plugins.docker.workflow

Docker Pipeline Usage

When using the Docker Pipeline Plugin, in order to obtain an ECR login credential, you must use the ecr provider prefix.

docker.withRegistry("https://your.ecr.domain.amazonws.com", "ecr:us-east-1:credential-id") {
  docker.image("your-image-name").push()
}

If you experience authentication issues, you would try to remove user docker configuration files on the agents before to run the docker commands, something like this pipeline script.

node {
  // cleanup current user docker credentials
  sh 'rm -f ~/.dockercfg ~/.docker/config.json || true'

  // configure registry
  docker.withRegistry('https://ID.ecr.eu-west-1.amazonaws.com', 'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a') {

    // build image
    def customImage = docker.build("my-image:${env.BUILD_ID}")

    // push image
    customImage.push()
  }
}

Development

Testing

Unfortunately, testing against AWS isn't very straightforward, since you always need an AWS account with correct setup, which might incur some costs. Current tests try to make this as easy as possible. You need a user with read permission to ECR (AWS IAM policy AmazonEC2ContainerRegistryReadOnly should suffice) and an (empty) container registry. The test expect these details in the following environment variables:

export AWS_ACCESS_KEY_ID=<your-key-id-here>
export AWS_SECRET_ACCESS_KEY=<your-secret-access-key-here>
export AWS_REGISTRY_HOST=<some-number>.dkr.ecr.us-east-1.amazonaws.com

When those are set correctly, mvn test should run those tests successfully.

Code Style

This plugin uses Google Java Code Style, which is enforced by the spotless plugin. If the build fails because you were using the "wrong" style, you can fix it by running:

$ mvn spotless:apply

to reformat code in the proper style.