CloudBees action: Configure Amazon ECR credentials

Use this action to configure Amazon Elastic Container Registry (ECR) credentials for use in CloudBees workflows.

This action logs in a local container configuration file to one or more ECR private registries, or to an ECR public registry.

Prerequisites

Make sure to add the following to your YAML file:

      - name: Check out repo
        uses: actions/checkout@v1

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::123456789012:role/my-cloudbees-actions-role
          aws-region: your-aws-region

Inputs

Table 1. Input details

Input name	Data type	Required?	Description
registries	String	No	A comma-delimited list of ECR Private registry hostnames (for example, 123456789012.dkr.ecr.us-east-1.amazonaws.com) to configure credentials for. Each entry must be a fully-qualified registry hostname including the AWS account ID and region. If omitted, the default ECR Private registry for the caller’s account is used. When set, the regions input is ignored (regions are part of each hostname).

Usage examples

Usage examples

Log in to ECR, build and push a container image

Log in to an ECR private registry, then build, tag, and push a container image to it, as in the following example:

      - name: Log in to ECR
        id: login-ecr
        uses: cloudbees-io/configure-ecr-credentials@v1

      - name: Build, tag, and push a container image to ECR
        uses: cloudbees-io/kaniko@v1
        with:
          destination: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-ecr-repo:latest

Log in to ECR, package and push a Helm chart

Log in to an ECR private registry, and then package and push a Helm chart to it, as in the following example:

      - name: Log in to ECR
        id: login-ecr
        uses: cloudbees-io/configure-ecr-credentials@v1

      - name: Package and push helm chart to ECR
        env:
          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          REPOSITORY: my-ecr-repo
        uses: docker://alpine/helm:latest
        run: |
          helm package my-ecr-repo
          helm push my-ecr-repo-0.1.0.tgz oci://123456789012.dkr.ecr.us-east-1.amazonaws.com

Note	(for Kaniko users) Helm and Kaniko use the same credential store, so you can use the same credentials for both.

Log in to ECR on multiple AWS accounts

Add the AWS credentials configuration action, and then provide cross-account access by listing each target registry as a fully-qualified hostname, as in the following example:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::123456789012:role/my-cloudbees-actions-role
          aws-region: eu-west-2

      - name: Log in to ECR
        id: login-ecr
        uses: cloudbees-io/configure-ecr-credentials@v1
        with:
          registries: "123456789012.dkr.ecr.eu-west-2.amazonaws.com,998877665544.dkr.ecr.eu-west-2.amazonaws.com"

Note	The repository on account 998877665544 must explicitly grant access to the arn:aws:iam::123456789012:role/my-cloudbees-actions-role role for cross-account access to work. Refer to AWS documentation on allowing secondary account access for how to correctly configure ECR policies.

Log in to ECR in multiple AWS regions

By default, only the current AWS region is configured. To configure multiple regions, provide a comma-separated list of the regions, as in the following example:

      - name: Configure AWS credentials
        uses: cloudbees-io/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::123456789012:role/my-cloudbees-actions-role
          aws-region: us-east-1
      - name: Log in to ECR
        id: login-ecr
        uses: cloudbees-io/configure-ecr-credentials@v1
        with:
          regions: eu-west-2,ap-south-2,ap-southeast-2

License

This code is made available under the MIT license.

References

• Learn more about using actions in CloudBees workflows.

• Learn about the CloudBees platform.