- unmigrated-wiki-markup
Documentation for Identity Federation for AWS 2.6 – other releases are available in the Identity Federation for AWS Documentation Directory.
View
or visit the current documentation home.
Using the Amazon ECR Credentials Variables task in Bamboo
Configuration
Use Amazon ECR Credentials with Bamboo Docker task
The most frequent use case for the Amazon ECR Credentials Variables task is to enable the built-in Bamboo Docker task to push images to an Amazon ECR repository - refer to How to push a Docker image to a repository in your Amazon ECR registry with the Bamboo Docker task for details.
To configure an Amazon ECR Credentials Variables task:
- Navigate to the Tasks configuration tab for the job (this will be the default job if creating a new plan).
- Click the name of an existing Amazon ECR Credentials Variables task, or click Add Task and then Amazon ECR Credentials Variables to create a new task.
Complete the following settings:
Task Description (Optional) Identify the purpose of the task. Disable this task Check, or clear, to selectively run this task.
Region Select the desired AWS Region. Alternatively, select [Use region variable ...] to supply the region dynamically via Bamboo variables (needs to be a region code such as ap-southeast-2
) - refer to How to parametrize the AWS region via a Bamboo variable for details.Registry ID (Optional) Select the AWS account ID that is associated with the registry for which to get authorization credentials
If you do not specify a registry, the default registry is assumed.Source Select the AWS Credentials Source (see below). Can be either Identity Federation for AWS or an IAM Role for EC2. Connector (Conditional) Select the shared Identity Federation for AWS Connector. Alternatively, select [Use connector variable ...] to supply the connector dynamically via Bamboo variables (needs to be a connector id such as
f24e81bc-7aff-42db-86a2-7cf82e24d871
) - refer to How to parametrize the AWS connector via a Bamboo variable for details.Role ARN (Conditional | Optional) Specify the ARN of another role that the agent's IAM role for EC2 should assume.
AWS Credentials Sources
Managed IAM Policy
We recommend to facilitate an available AWS Managed Policy to ease permission maintenance - the Amazon ECR Credentials Variables task requires the permissions in the AmazonEC2ContainerRegistryPowerUser managed policy, which at the time of this writing looks as follows:
You have the following options to provide AWS Security Credentials:
Identity Federation for AWS
Federated Amazon Web Services access
This is the recommended approach to share and manage AWS credentials:
- It provides benefits like easy credentials sharing and reuse, fine grained access control for AWS resources, strong encryption and more.
Refer to the Administrator's Guide for details on how to configure the connectors.
- this option requires at least one AWS Connector to be configured with System Scope to allow usage from Bamboo builds, where no user session is available
- a connector yields a set of temporary credentials on task execution (optionally limiting the IAM permissions)
- you can configure multiple connectors to provide credentials with different IAM permissions tailored for specific use cases
IAM Role for EC2 (Agent)
You can use IAM Roles for Amazon EC2 to optionally skip credentials configuration all together: if an agent happens to run on an EC2 instance started with an instance profile (IAM role), the tasks can be configured to facilitate those credentials. Of course, the underlying IAM role needs to have sufficient permissions for the task at hand.
This credentials source requires the agent to be running on an Amazon EC2 instance started with an instance profile, which yields three scenarios:
- local agent - requires the hosting Bamboo server itself to run on EC2
- remote agent - requires the remote agent to run on EC2
- elastic agent - requires the elastic agent to run on EC2
- You can optionally specify the ARN of another role that the agent's IAM role for EC2 should assume via the instance profile credentials - this enables various scenarios, notably switching to roles across your own AWS accounts and third-party.AWS accounts (cross-account IAM roles).
Usage
Bamboo variables
This task generates the following Bamboo variables for reuse in subsequent tasks without native integration with Identity Federation for AWS:
${bamboo.custom.aws.ecr.authorizationToken.password} ${bamboo.custom.aws.ecr.expirationDate} ${bamboo.custom.aws.ecr.proxyEndpoint} ${bamboo.custom.aws.ecr.proxyEndpointDomain} ${bamboo.custom.aws.ecr.username} ${bamboo.custom.aws.ecr.password}
The '*.password' suffix ensures that sensitive variables are masked with asterisks ('*******') in the Bamboo build log.
An alternative representation as a JSON object for automated processing with tools like jq is available too:
${bamboo.custom.aws.ecr.credentials.json.password}
Environment variables
Aforementioned variables will also be available as environment variables for use in Bamboo Script tasks. The syntax differs between shells, as illustrated in these examples for assigning them to the standardized variables used by tools like the AWS Command Line Interface (AWS CLI):
export AUTHORIZATION_TOKEN=$bamboo_custom_aws_ecr_authorizationToken_password export EXPIRATION_DATE=$bamboo_custom_aws_ecr_expirationDate export PROXY_ENDPOINT=$bamboo_custom_aws_ecr_proxyEndpoint export PROXY_ENDPOINT_DOMAIN=$bamboo_custom_aws_ecr_proxyEndpointDomain export USERNAME=$bamboo_custom_aws_ecr_username export PASSWORD=$bamboo_custom_aws_ecr_password
$AUTHORIZATION_TOKEN = $bamboo_custom_aws_ecr_authorizationToken_password $EXPIRATION_DATE = $bamboo_custom_aws_ecr_expirationDate $PROXY_ENDPOINT = $bamboo_custom_aws_ecr_proxyEndpoint $PROXY_ENDPOINT_DOMAIN = $bamboo_custom_aws_ecr_proxyEndpointDomain $USERNAME = $bamboo_custom_aws_ecr_username $PASSWORD = $bamboo_custom_aws_ecr_password
set AUTHORIZATION_TOKEN=%bamboo_custom_aws_ecr_authorizationToken_password% set EXPIRATION_DATE=%bamboo_custom_aws_ecr_expirationDate% set PROXY_ENDPOINT=%bamboo_custom_aws_ecr_proxyEndpoint% set PROXY_ENDPOINT_DOMAIN=%bamboo_custom_aws_ecr_proxyEndpointDomain% set USERNAME=%bamboo_custom_aws_ecr_username% set PASSWORD=%bamboo_custom_aws_ecr_password%
How-to Articles
Frequently Asked Questions (FAQ)
Amazon Web Services™, AWS™ and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.
Utoolity® is a registered trademark of Utoolity GmbH.
© 2024 Utoolity GmbH. All rights reserved.