Painless ECR authentication for Docker
I’ve been playing around with Jenkins lately and one of the problems I’ve been facing is that it gets tedious manually doing a aws ecr get-login every 12 hours on the Jenkins instances so that my builds can push docker images into ECR.
You may be thinking, why not just add the authentication into the build step before the push.
Tried that but for some reason, I’m never able to get it to eval correctly.
$ eval $(aws ecr get-login --region us-east-1)
This always results in a invalid docker login command.
Recently, I found this pretty cool helper, Amazon ECR Docker Credentials Helper which helps to automatically authenticate your docker.
If like me you’re running Jenkins inside of a docker, you’ll need to get into /bin/bash of your container:
$ docker exec -it <container> /bin/bash
Next, in your logged in user, in this case its root, make sure you’ve run aws configure and have authenticated with aws with the correct user and permissions. This is because the Credentials Helper will be looking for your credentials file that will be added in ~/.aws/credentials after you authenticate.
Setup Go if you don’t have it already.
# Grab the tar
root $ wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz
root $ tar -C /usr/local -xzf go1.6.2.linux-amd64.tar.gz
# Update your path
root $ echo export PATH=$PATH:/usr/local/go/bin >> /etc/profile
Clone the Amazon ECR Docker Credential Helper Repository.
$ git clone https://github.com/awslabs/amazon-ecr-credential-helper.git
$ cd amazon-ecr-credential-helper
$ make docker
# this will create a binary in bin/
# add this url into your path in /etc/profile
export PATH=$PATH:/path/to/ecr-credential/bin
Add the configuration into your docker config file
# ~/.docker/config
{
"credsStore": "ecr-login"
}
And you’re done!
When you run your build again, you no longer need to authenticate.
Note, you might want to add source /etc/profile in your build step (before the actual docker pushes), if authentication still fails.