Improve this page on GitHub

GitOps Amazon ECR integration

Integrate Amazon ECR with GitOps for image enrichment

Codefresh offers native support for interacting with Amazon ECR (Elastic Container Registry), enabling you to push, pull, and deploy container images seamlessly.
For general information on container registry integrations for GitOps, see Container registry GitOps integrations.

GitOps Amazon ECR integration options

You can set up the integration with Amazon ECR in one of two modes:

  • IAM (Identity and Access Management) role (dynamic integration)
    IAM roles provide temporary security credentials for applications and services to access AWS resources securely, that expire after a period of time.
  • Access key and secret (static integration)
    Access keys consist of an access key ID and a secret access key, used to authenticate and authorize API requests to AWS services for a specific user. Unlike IAM roles, access keys are long-term credentials, without a default expiration date.

NOTE
Access Key integration requires Runtime version 0.1.27 or higher.

Both IAM and access key modes use AWS Identity and Access Management (IAM) to create the integration with Amazon ECR.
For detailed information, see How Amazon Elastic Container Registry Works with IAM and the AWS security blog.

Prerequisites

Permissions for IAM Role and Access Key integrations

The IAM Role/Access Key user must have one of the following permissions:

  • AmazonEC2ContainerRegistryReadOnly for read-only access to Amazon EC2 Container Registry repositories.
  • AmazonEC2ContainerRegistryFullAccess for administrative access to Amazon ECR resources.
  • AmazonEC2ContainerRegistryPowerUser for full access to Amazon EC2 Container Registry repositories, without permissions to delete repositories or make changes to policies.

If any of these permissions are not granted, images cannot be successfully reported from ECR.

IAM Role integration

IAM Role for ECR integration

Amazon ECR integration in Codefresh requires an Identity and Access Management (IAM) Role with permissions to the ECR registry. For details, see Create the ECR integration IAM role.

Other IAM roles

Once you have an ECR integration IAM Role, you can use a different IAM role if that Role can assume the ECR integration IAM Role.
To use an IAM Role assigned to the Service Account used by app-proxy for example, the Role must be explicitly configured with a trust relationship to assume the ECR integration IAM Role - even if the other IAM Role is the ECR integration IAM Role.

For example:

{
  "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::XXXXX:role/eksctl-awscluster-ServiceRole-XXXXXX"  # IAM role for ECR integration
            },
    "Action": "sts:AssumeRole",
    "Condition": {}
}

Access Key integration

You must generate an access key ID and the access secret for the IAM user, and download or copy them to a secure location.

NOTE
The steps that follow describe access key generation through the AWS Management Console. We assume that you have created the IAM user for whom to generate the access key. See Creating an IAM user in your AWS account.

  1. Sign in to the AWS Management Console, and go to the IAM dashboard.
  2. In the left pane, click Users, and select the IAM user for whom to generate an access key.
  3. Click the Security credentials tab.
  4. Below Access keys, click Create access key.
  5. From Access key best practices & alternatives, select Command Line Interface (CLI).
  6. Select I understand the above recommendation… and then click Next.
  7. Enter an optional description and then click Create access key.
  8. Click Download .csv file, or copy the Access key ID, and the Secret access key which is automatically generated to a secure location.
    You will need to define them in the integration settings.
  9. Click Done.

Amazon ECR-GitOps integration settings in Codefresh

The table describes the arguments required for GitOps integrations with Amazon ECR in Codefresh.

Setting Description
Integration name A friendly name for the integration. This is the name you will reference in the third-party CI platform/tool.
All Runtimes/Selected Runtimes The runtimes in the account with which to share the integration resource.
The integration resource is created in the Git repository with the shared configuration, within resources. The exact location depends on whether the integration is shared with all or specific runtimes:
  • All runtimes: Created in resources/all-runtimes-all-clusters/
  • Selected runtimes: Created in resources/runtimes/
You can reference the Docker Hub integration in the CI tool.
IAM Role settings IAM Role integration is not supported for Hosted GitOps Runtimes.
  • IAM Role: The name of the IAM role you defined for ECR integration with the specific permissions for authentication to the ECR registry.
  • Region: The geographic region hosting the container registry. Define the region nearest to you.
Access Key settings Access Key integration is supported for both Hosted and Hybrid GitOps Runtimes.
  • Access Key ID: The access key generated for the IAM user, and paired with the Secret Access Key for authentication to the ECR registry.
  • Secret Access Key: The secret access key generated for and paired with the Access Key for authentication to the ECR registry.
  • Region: The geographic region hosting the ECR registry. Define the region nearest to you.
Test connection Click to verify that you can connect to the specified instance before you commit changes.

Amazon ECR for image enrichment

Amazon ECR integration for image enrichment

For how-to instructions, see Configure container registry integrations for GitOps in Codefresh and Edit/delete container registry integrations for GitOps in Codefresh.

Shared Configuration Repository
Image enrichment with GitOps integrations
CI GitOps integrations
Issue-tracking GitOps integrations