Amazon EC2 Container Registry

Learn how to use the Amazon Docker Registry in Codefresh

Setting Up ECR Integration - IAM User

Go to your Account Configuration, by clicking on Account Settings on the left sidebar. On the first section called Integrations click the Configure button next to Docker Registry.

To configure ECR first select Amazon ECR from the new registry drop down and then provided the following:

  • Registry Name - unique name for this configuration.
  • Access Key ID - AWS accessKeyId.
  • Secret Access Key - AWS accessKeyId.
  • Region - AWS region.

Add Amazon EC2 Container Registry

Codefresh makes sure to automatically refresh the AWS token for you.

For more information on how to obtain the needed tokens read the AWS documentation.

Note

You need to have an active registry all set up in AWS.

Amazon ECR Push/Pull operations can be provide by two permission options: user-based and resource-based.

  1. User-based permissions: User account need to apply AmazonEC2ContainerRegistryPowerUser policy (or custom based on that policy). More information and examples can be found here
  2. For resource-based users require permissions to call ecr:GetAuthorizationToken before they can authenticate to a registry and push or pull any images from any Amazon ECR repository, than you need provide push/pull permissions to specific registry. More information and examples can be found here.

Setting Up ECR Integration - Service Account

Go to your Account Configuration by clicking on Account Settings on the left sidebar. On the first section called Integrations click the Configure button next to Docker Registry.

To configure ECR, first select Amazon ECR from the new registry drop down and then provided the following:

  • Registry Name - unique name for this configuration.
  • Region - AWS region.
  • Check the Box Resolve credentials from service account
Note

This option is for hybrid customers who use the Codefresh Runner on their accounts. You will also need to make sure you have set up a Kubernetes service account to use an IAM role. You can follow the AWS Documentation

There are four different levels to define the service account; Runtime, Account, Pipeline, Trigger.

The Runtime level is the lowest in the priority. You can define it in the Runtime Specification under runtimeScheduler > Cluster (same level as namespace) and specify the service account. The key for this will be serviceAccount. You can use the default and make sure you have the correct annotation added to the Service Account. Another option is to create a new service account with the proper permissions and annotations.

runtimeScheduler:
  cluster:
    namespace: codefresh
    clusterProvider:
      accountId: 5c1658d1736122ee1114c842
      selector: docker-desktop
    serviceAccount: codefresh-engine

The Account level is the next priority. To define the service account, you will go to Account Settings > Pipeline Settings > Advanced Options. Here there will be an option called Authenticate to ECR using this service account. Here you will type in the Kubernetes service account.

Following the Account level is the Pipeline level. You will go to the pipeline you want > Settings > Runtime, then define the Service Account.

The last and highest priority is the Trigger. You will go to the pipeline you want > Workflow > Triggers (modify or add) > Advanced Options, and you can define the Service Account.

Pushing Docker images to Amazon ECR

There are 2 ways to push images

  1. Using the YAML push step (recommended)
  2. Promoting manually an image (shown below)

For more details on how to push a Docker image in a pipeline see the build and push example.

Manually promoting an image

The Images view has an option to manually push images to a registry.

  1. Click on the Promote button

promote.png

  1. On the promotion dialog set
    • Repository Name - name of your repository as it set in ECR

ecr2.png

  • Tag - select a tag (the tag will appear after the : e.g. repository-name:tag)
  • Registry - your ECR configuration

ecr3.png

  1. Click the Promote button

It is possible to change the image name if you want, but make sure that the new name exist as a repository in ECR