Skip to end of metadata
Go to start of metadata

Plugin Information

View Amazon ECR on the plugin site for more information.

This plugin is up for adoption. Want to help improve this plugin? Click here to learn more!

This plugin offers integration with Amazon EC2 Container Registry (ECR) as a DockerRegistryToken source to convert Amazon Credentials into a Docker CLI Authentication Token.

About

Amazon ECR plugin implements a Docker Token producer to convert Amazon credentials to Jenkins’ API used by (mostly) all Docker-related plugins.
Thank's to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for sample using CloudBees Docker Build and Publish plugin:

Requirements

  • Jenkins version 1.642 or later

Installation

Navigate to the "Plugin Manager" screen, install the "Amazon ECR" plugin and restart Jenkins.

The plugin will use the proxy configured on Jenkins if it is set since 1.6 version.

Recommended logger for troubleshooting, you have to take care where you publish these logs could contain sensitive information

  • com.cloudbees.jenkins.plugins.amazonecr
  • com.amazonaws
  • org.apache.http.wire
  • org.jenkinsci.plugins.docker.workflow

Docker Pipeline Usage

When using the CloudBees Docker Pipeline Plugin, in order to obtain an ECR login credential, you must use the ecr provider prefix.

docker.withRegistry("https://your.ecr.domain.amazonws.com", "ecr:us-east-1:credential-id") {
  docker.image("your-image-name").push()
}

 

If you experience authentication issues, you would try to remove user docker configuration files on the agents before to run the docker commands, something like this pipeline script.

 

node {
        //cleanup current user docker credentials
        sh 'rm  ~/.dockercfg || true'
        sh 'rm ~/.docker/config.json || true'
        
        //configure registry
        docker.withRegistry('https://ID.ecr.eu-west-1.amazonaws.com', 'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a') {
          
            //build image
            def customImage = docker.build("my-image:${env.BUILD_ID}")
            
            //push image
            customImage.push()
        }

 


Versions

1.6 (2017-05-16)

  • JENKINS-34437 Enable amazon-ecr-plugin behind proxy
  • Performance improvements
  • Set minor version to 1.642.1
  • Upgrade Credentials Plugin
  • Upgrade AWS Java SDK Plugin

  • Upgrade AWS Credentials Plugin

  • Upgrade Docket Commons Plugin

  • improve log

1.5 - Burned

1.4 (2016-10-29)

  • JENKINS-38465 ECR Plugin now it is compatible with credential stored into folders
  • JENKINS-36127 Resolved a NPE when attempt to configure docker build and publish
  • JENKINS-34958 New credential format that contains the region. For example, by specifying the following credentials: ecr:us-west-2:credential-id, the provider will set the Region of the AWS Client to us-west-2, when requesting for Authorisation token.

1.3 (2016-06-06)

  • 1.2 Release failed to upload the artifact - so just release again to correctly upload the artifact.
    NOTE: This release doesn't contain any update.

1.2 (2016-06-03)

  • Update parent pom

1.1 (2016-05-30)

1.0 (2016-01-12)

  • Replace custom ECR API client with aws-java-sdk

1.0-beta-1 (2015-12-22)

  • Initial release

6 Comments

  1. I am using this with the Cloudbees Docker Build and Push plugin, it sometimes works, and sometimes gives me an error: Error parsing HTTP response: invalid character 'Y' looking for beginning of value: "Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one."

    Any hints on how to get the ECR plugin to always get a token?

    1. I got almost the same error as well recently. 

      denied: Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.

      The AWS key is still active.

      1. There is a recent fix for this with Docker 1.13 and there's a Amazon forum on a workaround : https://github.com/awslabs/amazon-ecr-credential-helper

        Also, you can try updating your AWS Key and Secret and remove the entry at .docker/config.json to pick up the new token.

        1. the most recent workaround is to set the variable "env.AWS_ECR_LOGIN=true" on your pipeline

          1. forget it it is not useful you have to check $HOME/.docker/config.json and $HOME/.dockercfg to see the credential generated

  2. I had the following error when the image is pushed to Aws ECR

    0d64bfe31c34: Image push failed
    time="2017-06-20T14:22:46Z" level=fatal msg="Error pushing to registry: Server error: unexpected 403 response status trying to initiate upload of application-service"
    Build step 'Docker Build and Publish' marked build as failure