如何从 Gitlab CI 登录 AWS ECR 以下载 Docker 映像
[英]How to login to AWS ECR from Gitlab CI to download a Docker image
问题描述
I am using Gitlab pipeline.
我正在使用 Gitlab 管道。 The runner is hosted in Gitlab.跑步者托管在 Gitlab 中。
To decrease built time, I built a custom image which contains Maven dependencies.为了减少构建时间,我构建了一个包含 Maven 依赖项的自定义映像。 So, maven dependencies are not downloaded from internet during each build.因此,在每次构建期间,不会从 Internet 下载 Maven 依赖项。
I pushed my custom image to AWS ECR.我将自定义图像推送到 AWS ECR。 But Gitlab CI is unable to download this image.但 Gitlab CI 无法下载此图像。
Here is the error log:这是错误日志:
Running with gitlab-runner 14.3.0-rc1 (ed15bfbf)
on docker-auto-scale z3WU8uu-
Preparing the "docker+machine" executor
Using Docker executor with image ***.dkr.ecr.eu-west-1.amazonaws.com/***:latest ...
Pulling docker image 301768173512.dkr.ecr.eu-west-1.amazonaws.com/inuka-ci:latest ...
WARNING: Failed to pull image with policy "always": Error response from daemon: Get https://301768173512.dkr.ecr.eu-west-1.amazonaws.com/v2/inuka-ci/manifests/latest: no basic auth credentials (manager.go:214:0s)
ERROR: Job failed (system failure): failed to pull image "301768173512.dkr.ecr.eu-west-1.amazonaws.com/inuka-ci:latest" with specified policies [always]: Error response from daemon: Get https://301768173512.dkr.ecr.eu-west-1.amazonaws.com/v2/inuka-ci/manifests/latest: no basic auth credentials (manager.go:214:0s)
Since pipeline is triggered by Gitlab CI, I am unable to execute a docker login command before pipeline starts.由于管道是由 Gitlab CI 触发的,因此我无法在管道启动之前执行 docker docker login命令。
How can I make my gitlab pipeline login to AWS ECR before pipeline starts?如何在管道启动之前让我的 gitlab 管道登录到 AWS ECR?
1 个解决方案
解决方案1
-1 2021-09-26 16:56:47
Edited answer, I've previously misread the question:编辑答案,我之前误读了这个问题:
create an IAM user with at least read-only access to ECR and set these environment variables: AWS_ACCESS_KEY_ID , AWS_SECRET_ACCESS_KEY , AWS_DEFAULT_REGION .创建一个至少对 ECR 具有只读访问权限的 IAM 用户并设置以下环境变量: AWS_ACCESS_KEY_ID 、 AWS_SECRET_ACCESS_KEY 、 AWS_DEFAULT_REGION 。
Before being able to pull images from ECR you need to obtain a token using the AWS cli.在能够从 ECR 中提取图像之前,您需要使用 AWS cli 获取令牌。 One way to provide auth credentials to ECR is to define a variable called DOCKER_AUTH_CONFIG .向 ECR 提供身份验证凭据的一种方法是定义一个名为DOCKER_AUTH_CONFIG的变量。 Which has the following structure:它具有以下结构:
{
"auths": {
"myregistryurl.com": {
"auth": "base64(username:password)"
}
}
}
You need to define a step like this in another pipeline as the main pipeline needs the token upon launch:您需要在另一个管道中定义这样的步骤,因为主管道在启动时需要令牌:
aws_token:
image:
name: amazon/aws-cli
entrypoint: [""]
script:
- USER=AWS
- TOKEN=$(aws ecr get-login-password)
- AUTH=$(echo "$USER:$TOKEN" | base64 | tr -d "\n")
- echo $AUTH
Take the value displayed in the logs and put it in the main pipeline as the value of the variabile DOCKER_AUTH_CONFIG .将日志中显示的值作为变量DOCKER_AUTH_CONFIG的值放入主管道。 In this way, the next run of the pipeline will pull correctly the image.这样,管道的下一次运行将正确地拉取图像。
Notice that this token expires after 12 hours, when that times expires you will need to launch again this job.请注意,此令牌将在 12 小时后过期,当该时间过期时,您将需要再次启动此作业。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.