AWS ECR with Gradle
AWS Elastic Container Registry is a registry service for Docker images. It supports the Docker API for registries and therefore can be used with docker pull
, docker push
, etc. It also works with Gradle plugins such as gradle-docker-plugin
.
The authentication mechanism proves to be a challenge though. ECR requires a temporary token to be obtained using IAM credentials in order to use the registry. This doesn’t work well for CI tools because the token has a 24-hour expiry. It is also cumbersome for developer use to request a new token every 24 hours.
Solution
One solution is to use a Gradle plugin that will manage the ECR token, requesting it using AWS credentials. This post describes the use of the gradle-aws-ecr-plugin
that will manage ECR tokens for you.
The plugin uses the AWS SDK for Java. This means it will use the ~/.aws/credentials
file if available. Environment variables or Java system properties may also be used.
IAM Policy
As of this writing, I could not find a security policy to attach to a group or user to allow read/write access to ECR. You can use the following inline policy, but note this allows all access. A discussion of security around ECR is out of the scope of this writing, but you may want to look into restricting this to only allowing read/write to your repositories.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1461121381000", "Effect": "Allow", "Action": [ "ecr:*" ], "Resource": [ "*" ] } ] }
Example
Using the plugin is straightforward. You will need both the gradle-docker-plugin
and gradle-aws-ecr-plugin
.
plugins { id "com.bmuschko.docker-remote-api" version "3.0.6" id "com.patdouble.awsecr" version "0.3.2" }
Then set the Docker registry to your ECR URL. The URL is given by the AWS ECR console. Note that this clause is defined by the gradle-docker-plugin
. Neither username nor password should be set, the gradle-aws-ecr-plugin
will handle that.
docker { registryCredentials { url # 'https://123456789012.dkr.ecr.us-east-1.amazonaws.com' } }
AWS Credential Store
The plugin uses the AWS SDK to get credentials by default, read http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html for details. We’ll provide snippets here of how it works.
$ aws configure AWS Access Key ID [None]: accesskey AWS Secret Access Key [None]: secretkey Default region name [None]: us-west-2 Default output format [None]: $ ./gradlew ...
Environment Variables
Most CI tools use environment variables for configuration. You can do this for your AWS credentials. Make sure your CI tool obfuscates the secret in logs and other displays.
$ export AWS*ACCESS_KEY*ID=accesskey $ export AWS*SECRET_ACCESS*KEY=secretkey $ ./gradlew ...
System Properties
You can pass system properties to Gradle. Remember that command lines, including arguments, can generally be seen with system tools available to regular users. This is likely only useful for local testing.
$ ./gradlew -Daws.accessKeyId=accesskey -Daws.secretKey=secretkey ...
Gradle Configuration
In addition to the AWS SDK, the plugin will also take credentials as project properties.
$ ./gradlew -PawsAccessKeyId=accesskey -PawsSecretAccessKey=secretkey ...
Docker Tasks
All Docker tasks such as DockerPullImage
, DockerPushImage
, etc. that are configured with the ECR registry URL will get a temporary ECR token. No further configuration is necessary. It is possible to set the registry URL for individual tasks. For those tasks with a registry that is not ECR, the username and password will not be set with an ECR token.
Conclusion
AWS ECR is a good private registry. Following the AWS pricing model, billing is per use for storage and data. However, the temporary tokens are a challenge that is neatly solved with the gradle-aws-ecr-plugin
.
If you’d like to contribute to the plugin, either by filing bugs or enhancements, or a PR, see https://bitbucket.org/double16/gradle-aws-ecr-plugin.
Links
- gradle-aws-ecr-plugin – https://bitbucket.org/double16/gradle-aws-ecr-plugin
- gradle-docker-plugin – https://github.com/bmuschko/gradle-docker-plugin
- AWS credentials – http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
Hi Patrick,
I’m running “./gradlew –no-daemon -Dorg.gradle.debug=true -PawsAccessKeyId=accessKey -PawsSecretAccessKey=secretKey populateECRCredentials” and I’m getting errors:
:populateECRCredentials FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Some problems were found with the configuration of task ‘:populateECRCredentials’.
> No value has been specified for property ‘registryUrl’.
> No value has been specified for property ‘registryId’.
— build.gradle —
plugins {
id “com.bmuschko.docker-remote-api” version “3.0.7”
id “com.patdouble.awsecr” version “0.3.3”
}
docker {
registryCredentials {
url = ‘https://123456789012.dkr.ecr.us-east-1.amazonaws.com’ // my Anazon ID here of course
}
}
import com.bmuschko.gradle.docker.tasks.image.DockerTagImage
task tagWorkerImage(type: DockerTagImage) {
force = true
tag = ‘latest’
imageId = ‘myImageName’
repository = “123456789012.dkr.ecr.us-east-1.amazonaws.com/myImageName”
}
— build.gradle —
I tried to debug it in IntelliJ – but it doesn’t stop on breakpoints for some reason.
Could you please help me with this?
Regards,
Uri
Forgot to mention that I’m using Gradle 3.5, but when I tried 4.0 it didn’t help
Please create an issue at https://bitbucket.org/double16/gradle-aws-ecr-plugin/issues and include the above info. Thanks.
I got it working.
I was missing 2 things:
* tagImage task is not RegistryCredentialsAware, so I had to add again pushWorkerImage(type: DockerPushImage)
* in my previous attempts to run pushWorkerImage the imageName and tag were wrong – the imageName didn’t contain the AWS URL and tag did.
I guess more informative error message would help 🙂
Thanks for your efforts,
Uri
Hi Uri,
I am stuck with the same problem.
Can you share the format of the the imageName and tag you are currently using?
I am getting below error after using DockerPushImage with imageName containing AWS url.
Local repo:
REPOSITORY TAG IMAGE ID CREATED SIZE
cont-deploy-test latest e71a2a1e8004 21 seconds ago 326MB
task dockerPushImage(type: DockerPushImage) {
dependsOn dockerBuildImage
imageName = “https://058029036333.dkr.ecr.eu-west-2.amazonaws.com/cont-deploy-test”
tag = “cont-deploy-test:latest”
}
ERROR:
Execution failed for task ‘:dockerPushImage’.
> com.github.dockerjava.core.exception.InvalidRepositoryNameException (no error message)
Thanks,
Akshay
Akshay, your ‘tag’ should not contain a colon (:). So the task should look like:
task dockerPushImage(type: DockerPushImage) {
dependsOn dockerBuildImage
imageName = “https://058029036333.dkr.ecr.eu-west-2.amazonaws.com/cont-deploy-test”
tag = “latest”
}
Patrick,
I tried making above mentioned modifications but, still getting the same error message.
Do I have to follow any specific naming convention while naming local image or AWS ECR repository?
Thanks