How Do I Configure IAM for CodeBuild to Push to ECR?
Introduction
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages. To enable CodeBuild to push Docker images to Amazon Elastic Container Registry (ECR), you need to configure specific IAM roles and policies. This guide provides a comprehensive step-by-step approach to setting up the necessary IAM configurations.
Step-by-Step Guide
Step 1: Create an ECR Repository
The first step is to create an Amazon ECR repository where your Docker images will be stored.
Step 2: Create an IAM Role for CodeBuild
Next, create an IAM role that CodeBuild will assume. This role needs a trust policy that allows CodeBuild to assume it.
Step 3: Define an IAM Policy for ECR Access
Create an IAM policy that grants the permissions necessary for CodeBuild to interact with ECR, such as pushing images and managing layers.
Step 4: Attach the Policy to the IAM Role
Attach the created policy to the IAM role to ensure that CodeBuild can use it to access ECR.
Step 5: Export the ECR Repository URL
Finally, provide the ECR repository URL as a stack output to facilitate easy access.
Here’s the complete configuration:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create ECR repository
const example = new aws.ecr.Repository("example", {name: "example-repo"});
// Create IAM role for CodeBuild
const codebuildRole = new aws.iam.Role("codebuild_role", {
name: "codebuild-role",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
Service: "codebuild.amazonaws.com",
},
Action: "sts:AssumeRole",
}],
}),
});
// Attach policies to provide necessary permissions to the CodeBuild role to interact with ECR
const codebuildEcrPolicy = new aws.iam.Policy("codebuild_ecr_policy", {
name: "codebuild-ecr-policy",
description: "Policy allowing CodeBuild to push to ECR",
policy: pulumi.jsonStringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
],
Resource: [example.arn],
},
{
Effect: "Allow",
Action: ["ecr:GetAuthorizationToken"],
Resource: "*",
},
{
Effect: "Allow",
Action: [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
],
Resource: "*",
},
],
}),
});
// Attach the policy to the CodeBuild IAM role
const codebuildEcrPolicyAttachment = new aws.iam.RolePolicyAttachment("codebuild_ecr_policy_attachment", {
role: codebuildRole.name,
policyArn: codebuildEcrPolicy.arn,
});
export const ecrRepositoryUrl = example.repositoryUrl;
Key Points
- ECR Repository: Stores Docker images.
- IAM Role: Allows CodeBuild to assume the necessary permissions.
- IAM Policy: Grants permissions for ECR operations.
- Policy Attachment: Links the policy to the IAM role.
- Output: Provides the ECR repository URL for easy access.
Conclusion
By following this guide, you have successfully configured IAM roles and policies to enable AWS CodeBuild to push Docker images to Amazon ECR. This setup ensures that your CI/CD pipeline can seamlessly integrate with ECR, allowing for efficient management of Docker images.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.