从詹金斯管道推送到ECR [英] Push to ECR from Jenkins pipeline
问题描述
我有Jenkins服务器。我有Jenkins文件现在可以创建Docker映像,我想将该映像推送到AWS ECR。是否必须创建一个特殊的IAM用户并提供其访问权限和秘密访问密钥?或者是执行此操作的最佳方法。
I have Jenkins server on-preminse. I have Jenkins file which create Docker image now i want to push that image to AWS ECR.Do i have to create a special IAM user and provide its access and secret access keys ? Or what will be the best way to do this.
我在互联网上发现以下内容
I found below on internet
withAWS(role:'Jenkins', roleAccount:'XXXX216610',duration: 900, roleSessionName: 'jenkinssession')
sh ' eval \$(aws ecr get-login --no-include-email --region us-east-2) '
但是作为我的詹金斯服务器,onprem的作用是什么会起作用吗?
But as my jenkins server is onprem how role will work ?
推荐答案
我是否必须创建一个特殊的IAM用户并提供其访问权限和
秘密访问密钥?否则,最好的方法是什么。
Do i have to create a special IAM user and provide its access and secret access keys ? Or what will be the best way to do this.
如果您在AWS内运行Jenkins,并且您使用密钥和访问权限您违反最佳做法的关键。您永远不要在AWS VPC中使用访问密钥和秘密密钥。这些旨在与AWS账户外部的AWS进行交互。
If you are running Jenkins inside your AWS and you using the secret key and access key you are violating best practice. You should never use the access key and secret key inside AWS VPC. These are designed to interact with AWS from outside of AWS account.
您应创建 IAM角色,该角色具有特定的作用,该角色只允许Jenkins将图像推送到ECR。
You should create an IAM role which has specific role and that role allow Jenkins only to push the image to ECR.
就您当前的命令而言, eval \ $(aws ecr get-login --no-include-email --region us-east-2),您将始终需要此令牌来将图像推/拉到ECR,该令牌有一些有效期,您应该在下面阅读有关此方法的信息。但是,使用IAM角色似乎还可以。
As far your current command, eval \$(aws ecr get-login --no-include-email --region us-east-2) you will always need this token to push/pull the image to ECR, this token has some expiry, you should read about this approach below. But it seems okay with IAM role.
此外,您还可以探索 Amazon + ECR插件
关于
Amazon ECR插件实现了一个Docker令牌生产者,将Amazon
凭据转换为(主要)所有Docker相关的Jenkins API
个插件。谢谢这位制作人,您可以在
Jenkins中为各种Docker操作选择现有的
注册的Amazon凭证,以使用CloudBees Docker Build和Publish插件进行示例:
Amazon ECR plugin implements a Docker Token producer to convert Amazon credentials to Jenkins’ API used by (mostly) all Docker-related plugins. Thank's to this producer, you can select your existing registered Amazon credentials for various Docker operations in Jenkins, for sample using CloudBees Docker Build and Publish plugin:
这篇关于从詹金斯管道推送到ECR的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
