Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Shrunk excerpt.

Excerpt
Div
stylefloat:left

Image Modified

You can use the Amazon ECR Credentials Variables task to provide

temporary

temporary Amazon EC2 Container Registry (Amazon ECR) authentication credentials

for

 for other tools by injecting them into AWS unaware tasks like

the

the Bamboo Docker task. This improves versatility for using tools that are not directly integrated with Identity Federation for AWS, but accept AWS credentials via the command line, environment variables or the Bamboo task interface.

Include Page
_TasksForAWSAmazonECRNote
_TasksForAWSAmazonECRNote

Panel
borderColor#bbb
bgColor#eeeeee

On this page:

Table of Contents
exclude(Popular.*|Recent.*)

Panel
borderColor#bbb
bgColor#eeeeee

Related Pages:

Configuration

Tip
titleUse Amazon ECR Credentials with Bamboo Docker task

The most frequent use case for the Amazon ECR Credentials Variables task is to enable the built-in Bamboo Docker task to push images to an Amazon ECR repository - refer to How to push a Docker image to a repository in your Amazon ECR registry with the Bamboo Docker task for details.

To configure an Amazon ECR Credentials Variables task:

  1. Navigate to the Tasks configuration tab for the job (this will be the default job if creating a new plan).
  2. Click the name of an existing Amazon ECR Credentials Variables task, or click Add Task and then Amazon ECR Credentials Variables to create a new task.
  3. Complete the following settings:

    Task Description (Optional) Identify the purpose of the task.
    Disable this task

    Check, or clear, to selectively run this task.

    RegionSelect the desired AWS Region. Alternatively, select [Use region variable ...] to supply the region dynamically via Bamboo variables (needs to be a region code such as ap-southeast-2) - refer to How to parametrize the AWS region via a Bamboo variable for details.
    Registry ID(Optional) Select the AWS account ID that is associated with the registry for which to get authorization credentials
    (info) If you do not specify a registry, the default registry is assumed.
    SourceSelect the AWS Credentials Source (see below). Can be either Identity Federation for AWS or an IAM Role for EC2.
    Connector

    (Conditional) Select the shared Identity Federation for AWS Connector. Alternatively, select [Use connector variable ...] to supply the connector dynamically via Bamboo variables (needs to be a connector id such as f24e81bc-7aff-42db-86a2-7cf82e24d871) - refer to How to parametrize the AWS connector via a Bamboo variable for details.

    Role ARN(Conditional | Optional) Specify the ARN of another role that the agent's IAM role for EC2 should assume.

AWS Credentials Sources

Tip
titleManaged IAM Policy

We recommend to facilitate an available AWS Managed Policy to ease permission maintenance - the Amazon ECR Credentials Variables task requires the permissions in the AmazonEC2ContainerRegistryPowerUser managed policy, which at the time of this writing looks as follows:

Code Block
languagejs
collapsetrue
{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"ecr:GetAuthorizationToken",
			"ecr:BatchCheckLayerAvailability",
			"ecr:GetDownloadUrlForLayer",
			"ecr:GetRepositoryPolicy",
			"ecr:DescribeRepositories",
			"ecr:ListImages",
			"ecr:BatchGetImage",
			"ecr:InitiateLayerUpload",
			"ecr:UploadLayerPart",
			"ecr:CompleteLayerUpload",
			"ecr:PutImage"
		],
		"Resource": "*"
	}]
}

You have the following options to provide AWS Security Credentials:

Include Page
_IdentityFederationForAWSConnector
_IdentityFederationForAWSConnector

Include Page
_IAMRolesForEC2
_IAMRolesForEC2

Usage

Bamboo variables


This task generates the following Bamboo variables for reuse in subsequent tasks without native integration with Identity Federation for AWS:

Code Block
languagebash
titleBamboo variables
${bamboo.custom.aws.ecr.authorizationToken.password}
${bamboo.custom.aws.ecr.expirationDate}
${bamboo.custom.aws.ecr.proxyEndpoint}
${bamboo.custom.aws.ecr.proxyEndpointDomain}
${bamboo.custom.aws.ecr.username}
${bamboo.custom.aws.ecr.password}
  • (info) The '*.password' suffix ensures that sensitive variables are masked with asterisks ('*******') in the Bamboo build log.

An alternative representation as a JSON object for automated processing with tools like jq is available too:

Code Block
languagebash
titleBamboo variables (alternative representations)
${bamboo.custom.aws.ecr.credentials.json.password}	

Environment variables

Aforementioned variables will also be available as environment variables for use in Bamboo Script tasks. The syntax differs between shells, as illustrated in these examples for assigning them to the standardized variables used by tools like the AWS Command Line Interface (AWS CLI):

Code Block
languagebash
titleBash (Unix shell)
export AUTHORIZATION_TOKEN=$bamboo_custom_aws_ecr_authorizationToken_password
export EXPIRATION_DATE=$bamboo_custom_aws_ecr_expirationDate
export PROXY_ENDPOINT=$bamboo_custom_aws_ecr_proxyEndpoint
export PROXY_ENDPOINT_DOMAIN=$bamboo_custom_aws_ecr_proxyEndpointDomain
export USERNAME=$bamboo_custom_aws_ecr_username
export PASSWORD=$bamboo_custom_aws_ecr_password
Code Block
languagepowershell
titlePowerShell
$AUTHORIZATION_TOKEN = $bamboo_custom_aws_ecr_authorizationToken_password
$EXPIRATION_DATE = $bamboo_custom_aws_ecr_expirationDate
$PROXY_ENDPOINT = $bamboo_custom_aws_ecr_proxyEndpoint
$PROXY_ENDPOINT_DOMAIN = $bamboo_custom_aws_ecr_proxyEndpointDomain
$USERNAME = $bamboo_custom_aws_ecr_username
$PASSWORD = $bamboo_custom_aws_ecr_password
Code Block
languagediff
title Windows Command Prompt (cmd)
set AUTHORIZATION_TOKEN=%bamboo_custom_aws_ecr_authorizationToken_password%
set EXPIRATION_DATE=%bamboo_custom_aws_ecr_expirationDate%
set PROXY_ENDPOINT=%bamboo_custom_aws_ecr_proxyEndpoint%
set PROXY_ENDPOINT_DOMAIN=%bamboo_custom_aws_ecr_proxyEndpointDomain%
set USERNAME=%bamboo_custom_aws_ecr_username%
set PASSWORD=%bamboo_custom_aws_ecr_password%
 


How-to Articles

Filter by label (Content by label)
max8
showSpacefalse
sorttitle
excerptTypesimple
cqllabel = "amazon-ecr" and label in ("aws-iam","variableskb-how-to-article","kb-troubleshooting-article") and label in ("aws-iam","aws-credentials","amazon-ecrvariables")

Frequently Asked Questions (FAQ)

Questionslist macro
filterpopular
asktrue
limit8
topicaws-credentials