DEV Community

ahn4
ahn4

Posted on

Push Docker Image to AWS ECR - Bitbucket Pipeline

#aws #kubernetes #bitbucket

We'll do the following

  • Create Bitbucket repository
  • Push Docker image to ECR from Bitbucket
  • Configure Bitbucket pipeline.

Create Bitbucket repository

1: Created ssh key.



ssh-keygen -t rsa -C aaa@example.com
Enter fullscreen mode Exit fullscreen mode

2: Add pub key to bitbucket.

3: set remote but... password is needed?



git remote add origin git@bitbucket.org:xxx/yyy.git
git push origin master

Password for 'https://aaa@bitbucket.org': 
# ????
Enter fullscreen mode Exit fullscreen mode

4: Get remote URL



git config --get remote.origin.url

https://aaa@bitbucket.org/bbb/ccc.git
Enter fullscreen mode Exit fullscreen mode

5: This should not be https... should be git.



git remote set-url origin git@bitbucket.org:xxxx/yyyy.git
Enter fullscreen mode Exit fullscreen mode

error..

6: Specify ssh key

https://qiita.com/sonots/items/826b90b085f294f93acf

Push Docker image to ECR from Bitbucket

Image description

We have to create the IAM Role of OIDC.

Get identity provider of Bitbucket.

You can get the information from Bitbucket.

{Your repository settings} > Pipelines > OpenID Connect

Get the following.

  • Identity provider URL
  • Audience

AWS IAM Setting.

Create provider

  • Go to IAM > Identity providers > Add provider.
  • Fill in Identity provider URL and Audience.

Create policy 



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowPushImage",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "arn:aws:ecr:ap-northeast-1:{AWS Account ID}:repository/*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Create role

  • Go to IAM > Role > Create role.
  • Select Web identity.
  • Select Identity provider URL and Audience created by previous step.
  • Choose policy created in previous step.

Configure bitbucket pipeline.

Official

Minimum configuration



image: atlassian/default-image:2

definitions:
  script: &ecrScript
    - docker build -t $REPO_NAME .
    - pipe: atlassian/aws-ecr-push-image:1.5.0
      variables:
        AWS_OIDC_ROLE_ARN: $OIDC_ROLE_ARN
        IMAGE_NAME: $IMAGE_NAME
        TAGS: "${BITBUCKET_TAG} build-$BITBUCKET_BUILD_NUMBER latest"

pipelines:
  custom:
    build-custom:
      - step:
          name: Deploy to ECR
          services:
            - docker
          oidc: true
          script: *ecrScript
Enter fullscreen mode Exit fullscreen mode

NOTE

AWS_DEFAULT_REGION must be configured as Variable. Otherwise we will get the error ValueError: Invalid endpoint: https://api.ecr..amazonaws.com. Please check official document.

Top comments (1)

Collapse
 
gpbenton profile image
gpbenton

Much appreciated. This was a great help.

Read next

shu12388y profile image

Why We Migrated Our WordPress Site from Hostinger to AWS LightSail

shubham paul -

kkkensuke profile image

Automating EC2 Patching with AWS Patch Manager

kkkensuke -

emmamoinat profile image

Lessons Learned from Migrating to Amazon Cognito

Emma Moinat -

vkazulkin profile image

Data API for Amazon Aurora Serverless v2 with AWS SDK for Java - Part 10 Aurora Serverless v2 Data API meets DevOps Guru or not?

Vadym Kazulkin -