堆栈内存溢出
  简体   繁体   English

在 Jenkinsfile 中对 ECR 进行授权,以便我可以提取图像来运行构建?

[英]Auth into ECR in a Jenkinsfile so I can pull an image to run the build in?

 原文  2019-10-30 00:33:02       amazon-web-services/ docker/ jenkins/ jenkins-pipeline/ aws-ecr

问题描述

The situation here is that we have an app that's currently being built on a Jenkins slave with a certain version of node installed on it.这里的情况是,我们有一个应用程序目前正在 Jenkins slave 上构建,上面安装了特定版本的节点。 We want to standardize the build environment, and so to do that want to build inside a docker container.我们想要标准化构建环境,所以要在 docker 容器中构建。

Through my research it definitely seems possible .通过我的研究,这似乎绝对有可能 However, the challenge for us is we want to use custom images we manage ourselves and store in ECR.然而,我们面临的挑战是我们想要使用我们自己管理并存储在 ECR 中的自定义图像。 We don't want to use the ones on docker hub.我们不想使用 docker 集线器上的那些。 With that constraint in mind, I'm struggling to authenticate into our ECR within my Jenkinsfile.考虑到这一限制,我正在努力在我的 Jenkinsfile 中对我们的 ECR 进行身份验证。 Ideally I could do something like this:理想情况下,我可以做这样的事情:

pipeline {
    agent {
        docker {
            image 'node:7'
            registryUrl 'ecr_url.amazonaws.com'
            registryCredentialsId 'ecr:us-east-1:iam_role'
        }
    }
    stages {
        stage('Build') {
            steps {
                sh 'command goes here'
            }
        }
    }
}

But the issue here is that our ECR login relies on running a shell command on the Jenkins worker (which has aws cli installed) to log in and access the image.但这里的问题是我们的 ECR 登录依赖于在 Jenkins worker(安装了 aws cli)上运行 shell 命令来登录和访问图像。 So far I've had no luck authenticating within the Jenkinsfile so I can pull an image to run the build in. Does anyone know if this is possible and if so, how to edit the Jenkinsfile to do it?到目前为止,我还没有在 Jenkinsfile 中进行身份验证,所以我可以拉出一个图像来运行构建。有谁知道这是否可能,如果可以,如何编辑 Jenkinsfile 来做到这一点?

3 个解决方案

解决方案1
 1  2019-10-30 07:47:09

You need Authorization token before pulling the image from ECR it's mean you also need to install AWS-CLI on Jenkins server.在从 ECR 提取图像之前,您需要授权令牌,这意味着您还需要在 Jenkins 服务器上安装 AWS-CLI。 The best approach is to assign role and run the below command somewhere in your pipeline to get authorization token, if that seems complicated to you you can use ECR plugin below.最好的方法是分配角色并在管道中的某处运行以下命令以获取授权令牌,如果这对您来说似乎很复杂,您可以使用下面的 ECR 插件。

Your Docker client must authenticate to Amazon ECR registries as an AWS user before it can push and pull images.您的 Docker 客户端必须以 AWS 用户身份向 Amazon ECR 注册表进行身份验证,然后才能推送和拉取图像。 The AWS CLI get-login command provides you with authentication credentials to pass to Docker. AWS CLI get-login 命令为您提供身份验证凭证以传递给 Docker。 For more information, see Registry Authentication.有关详细信息,请参阅注册表身份验证。

AmazonECR-registry_auth AmazonECR-registry_auth

So you can use JENKINS/Amazon+ECR所以你可以使用JENKINS/Amazon+ECR 在此处输入图像描述

Amazon ECR plugin implements a Docker Token producer to convert Amazon credentials to Jenkins' API used by (mostly) all Docker-related plugins. Amazon ECR 插件实现了 Docker 令牌生成器,以将 Amazon 凭证转换为 Jenkins 的 API,由(大部分)所有 Docker 相关插件使用。 Thank's to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for sample using CloudBees Docker Build and Publish plugin: Thank's to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for sample using CloudBees Docker Build and Publish plugin:

Normally we use this command to obtain token.通常我们使用这个命令来获取token。

$(aws ecr get-login --no-include-email --region us-west-2)

with in pipline you can try在管道中,您可以尝试

pipeline
{
    options
    {
        buildDiscarder(logRotator(numToKeepStr: '3'))
    }

    agent any
    environment 
    {
        PROJECT = 'tap_sample'
        ECRURL = 'http://999999999999.dkr.ecr.eu-central-1.amazonaws.com'
        ECRCRED = 'ecr:eu-central-1:tap_ecr'
    }
    stages
    {
        stage('Docker image pull')
        {
            steps
            {
                script
                {
                    sh("eval \$(aws ecr get-login --no-include-email | sed 's|https://||')")
                    docker.withRegistry(ECRURL, ECRCRED)
                    {
                        docker.image(PROJECT).pull()
                    }
                }
            }
        }
    }
}

解决方案2
 0  2020-05-21 11:43:39

You almost had it working.你几乎让它工作了。 The trick to using it as an agent on the declarative pipeline is to create an AWS credential with empty Access_key and Secret but setting an IAM role on it.将其用作声明性管道上的代理的技巧是创建一个带有空Access_keySecret但在其上设置 IAM 角色的 AWS 凭证。 詹金斯证书

pipeline {
    agent {
        docker { 
          image '<account-id>.dkr.ecr.eu-west-1.amazonaws.com/image/my-image:v1'
          args '--entrypoint= '
          registryCredentialsId "ecr:eu-west-1:aws-instance-role"
          registryUrl "https://<account-id>.dkr.ecr.eu-west-1.amazonaws.com"
        }
    }
    stages {
        stage('Test') {
            steps {
                sh "I'm on an ECR agent"
            }
        }
    }
}

Make sure that you can assume this role, you can an instance role that allows assuming itself.确保您可以担任此角色,您可以是允许担任自己的实例角色。 I've created a medium post describing this process on a cross-account ECR How to run Jenkins agents with cross-account ECR images using instance roles on EKS.我创建了一篇关于跨账户 ECR 如何使用 EKS 上的实例角色运行具有跨账户 ECR 映像的 Jenkins 代理的中等帖子来描述此过程。

解决方案3
 0  2023-01-26 18:04:33

use aws pipeline steps.使用 aws 管道步骤。 It allows for a ecrLogin() where you can specify registry ids if needed.它允许使用 ecrLogin(),您可以在其中指定注册表 ID(如果需要)。 https://plugins.jenkins.io/pipeline-aws/#plugin-content-ecrlogin https://plugins.jenkins.io/pipeline-aws/#plugin-content-ecrlogin

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将 IAM 角色附加到 EC2 实例,以便它们可以从 Terraform 中的 ECR 中提取特定图像 - How to attach IAM roles to EC2 instances so they can pull an specific image from ECR in Terraform 如何构建Docker映像并将其推到带有CIRCLE 2.0的ECR中? - How can I build a Docker image and push it to ECR with CIRCLE 2.0? 尝试从专用ECR提取图像时“没有基本身份验证凭据” - “no basic auth credentials” when trying to pull an image from a private ECR Kubernetes无法从AWS ECR中提取Docker映像 - Kubernetes can't pull docker image from AWS ECR ECS代理无法从ECR成功提取图像 - ECS agent can not successfully pull image from ECR 无法将图像推送到 Amazon ECR - 因“没有基本身份验证凭证”而失败 - Can't push image to Amazon ECR - fails with "no basic auth credentials" 来自守护进程的错误响应:Jenkinsfile 中没有用于将 docker 映像上传到 ECR 的此类 ID - Error response from daemon: no such id in Jenkinsfile for uploading docker image to ECR 从 ECR 拉取镜像到 Kubernetes 部署文件 - Pull image from ECR to Kubernetes deployment file AWS CloudFormation CodeBuild:我可以使用 ECR 图像作为环境图像吗 - AWS CloudFormation CodeBuild: Can i use ECR image as Environment image Amazon ECR上的受限图像提取权限 - Restricted Image Pull rights on Amazon ECR
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM