We changed the docker image repository from harbor to AWS ECR. How to push the image?

Retrieve an authentication token and authenticate your Docker client to your registry. Use the AWS CLI:

aws ecr get-login-password --region ap-east-1 | docker login --username AWS --password-stdin <aws account>.dkr.ecr.<region>.amazonaws.com

In this way, we not only have to change the original DSL structure, but also need to manually install the aws cli, and there is a risk of security credentials leakage.

How can we manage both image repositories without changing the original structure?

Amazon ECR plugin implements a Docker Token generator that converts Amazon credentials to Jenkins’ API, which is used by (mostly) all Docker-related plugins.

When using the Docker Pipeline Plugin, in order to obtain ECR login credentials, you must use the ecr provider prefix:

script {
  docker.withRegistry("https://${REGISTRY}", "ecr:ap-east-1:aws-credentials") {
    def img = docker.build("${REGISTRY}/${APP_ID}:${BuildTag}")
    img.push()
  }
}


IAM permissions

minimum set of permissions to perform a docker push to ecr

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ecr:GetAuthorizationToken",
            "Resource": "*"
        }
    ]
}
Last modified: September 7, 2025

Comments

Write a Reply or Comment

Your email address will not be published.