DEV Community

Cover image for Authenticating your GitLab CI runner to an AWS ECR registry using Amazon ECR Docker Credential Helper πŸ”‘
AWS Community Builders profile image Adrien Mornet
Adrien Mornet for AWS Community Builders

Posted on • Updated on

Authenticating your GitLab CI runner to an AWS ECR registry using Amazon ECR Docker Credential Helper πŸ”‘

#aws #gitlab #tutorial

GitLab CI allows you to run your CI/CD jobs in separate and isolated Docker containers. For maximum flexibility, you may need to run your jobs from a self-created Docker image tailored to your project’s specific needs. You can store this self-created and private Docker image in an AWS ECR registry. In this tutorial I will explain how to set up automatic authentication from your GitLab runner to your registry with Amazon ECR Docker Credential Helper.

GitLab CI job

Create a GitLab CI job which uses your Docker image saved in a private AWS ECR registry :

phpunit:
  stage: testing
  image: 
    name: 123456789123.dkr.ecr.us-east-1.amazonaws.com/php-gitlabrunner:latest
    entrypoint: [""]
  script:
    - php ./vendor/bin/phpunit --coverage-text --colors=never
Enter fullscreen mode Exit fullscreen mode

Create and configure your runner to access AWS ECR registry 

{
    "credsStore": "ecr-login"
}
Enter fullscreen mode Exit fullscreen mode
  • Create an IAM User with CLI access and attach arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly policy
  • Paste CLI credentials to /home/gitlab-runner/.aws/credentials file on your GitLab runner : 
[default]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR SECRET KEY
Enter fullscreen mode Exit fullscreen mode
  • Configure AWS Region in /root/.aws/config : 
[default]
region = YOUR REGION
Enter fullscreen mode Exit fullscreen mode
  • Edit your /etc/gitlab-runner/config.toml to add in the [[runners]] section the following line environment = ["DOCKER_AUTH_CONFIG={ \"credsStore\": \"ecr-login\" }"]: 
[[runners]]
  name = "gitlab-runner"
  url = "https://gitlab.com/"
  executor = "docker"
  [runners.custom_build_dir]
  [runners.cache]
    MaxUploadedArchiveSize = 0
    [runners.cache.s3]
    [runners.cache.gcs]
    [runners.cache.azure]
  [runners.docker]
    image = "php:8-cli"
    privileged = false
    disable_entrypoint_overwrite = false
    oom_kill_disable = false
    disable_cache = false
    volumes = ["/cache", "/var/run/docker.sock:/var/run/docker.sock", "/builds:/builds"]
    shm_size = 0
    environment = ["DOCKER_AUTH_CONFIG={ \"credsStore\": \"ecr-login\" }"]
Enter fullscreen mode Exit fullscreen mode

Now your GitLab runner can automatically authenticate to your ECR registry πŸ™‚

If you liked this post, you can find more on my blog https://adrien-mornet.tech/ πŸš€

Top comments (0)

Read next

amaanmohib profile image

Use Notion as your CMS along with Next.js

Amaan Mohib -

colinsoleim profile image

Supercharging Rails: Enabling Ruby's YJIT Compiler in Production

Colin Soleim -

olawde profile image

Migrating repository from github to gitlab

Olawale Adepoju -

killianmcgrath7 profile image

Stop Leaving Yourself Open to Massive Cloud Bills

Killian McGrath -