GitOps Amazon ECR integration
Codefresh has native support to interact with Amazon ECR (Elastic Container Registry), and push, pull, and deploy images.
For general information on adding an Amazon ECR integration for GitOps in Codefresh, see Container registry GitOps integrations.
GitOps Amazon ECR integration options
You can set up the integration with Amazon ECR in one of two modes:
- IAM (Identity and Access Management) role (dynamic integration)
IAM roles provide temporary security credentials for applications and services to access AWS resources securely, that expire after a period of time.
- Access key and secret (static integration)
Access keys consist of an access key ID and a secret access key, used to authenticate and authorize API requests to AWS services for a specific user. Unlike IAM roles, access keys are long-term credentials, without a default expiration date.
Amazon ECR integration with IAM Role is supported only for Hybrid GitOps. Access Key integration is supported for both Hosted and Hybrid GitOps. Access Key integration requires runtime version 0.1.27 or higher.
Both IAM and access key modes use AWS Identity and Access Management (IAM) to create the integration with Amazon ECR.
For detailed information, see How Amazon Elastic Container Registry Works with IAM and the AWS security blog.
IAM Role integration
IAM Role for ECR integration
Amazon ECR integration in Codefresh requires an Identity and Access Management (IAM) Role with permissions to the ECR registry. For details, see Create the ECR integration IAM role.
Other IAM roles
Once you have an ECR integration IAM Role, you can use a different IAM role if that Role can assume the ECR integration IAM Role.
To use an IAM Role assigned to the Service Account used by app-proxy for example, the Role must be explicitly configured with a trust relationship to assume the ECR integration IAM Role - even if the other IAM Role is the ECR integration IAM Role.
"AWS": "arn:aws:iam::XXXXX:role/eksctl-awscluster-ServiceRole-XXXXXX" # IAM role for ECR integration
Access Key integration
You must generate an access key ID and the access secret for the IAM user, and download or copy them to a secure location.
The steps that follow describe access key generation through the AWS Management Console. We assume that you have created the IAM user for whom to generate the access key. See Creating an IAM user in your AWS account.
- Sign in to the AWS Management Console, and go to the IAM dashboard.
- In the left pane, click Users, and select the IAM user for whom to generate an access key.
- Click the Security credentials tab.
- Below Access keys, click Create access key.
- From Access key best practices & alternatives, select Command Line Interface (CLI).
- Select I understand the above recommendation… and then click Next.
- Enter an optional description and then click Create access key.
- Click Download .csv file, or copy the Access key ID, and the Secret access key which is automatically generated to a secure location.
You will need to define them in the integration settings.
- Click Done.
Amazon ECR-GitOps integration settings in Codefresh
The table describes the arguments required for GitOps integrations with Amazon ECR in Codefresh.
|A friendly name for the integration. This is the name you will reference in the third-party CI platform/tool.
|All Runtimes/Selected Runtimes
| The runtimes in the account with which to share the integration resource.
The integration resource is created in the Git repository with the shared configuration, within
resources. The exact location depends on whether the integration is shared with all or specific runtimes:
|IAM Role settings
|IAM Role integration is not supported for Hosted GitOps Runtimes.
|Access Key settings
|Access Key integration is supported for both Hosted and Hybrid GitOps Runtimes.
|Click to verify that you can connect to the specified instance before you commit changes.
For how-to instructions, see Configure container registry integrations for GitOps in Codefresh and Edit/delete container registry integrations for GitOps in Codefresh.