Unable to Override CodeBuild Image

[ErmanB]

Hi,

I am trying to override CodeBuild image, however getting the following BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE error. Do I do something wrong in "overrideImage" field in Jenkinsfile?

• My custom image is located in AWS ECR repo
• I gave permission to my build role to pull images from ECR repository.
• To use a Docker image in Amazon ECR repository, I override the image in this format "account-ID.dkr.ecr.region.amazonaws.com/your-Amazon-ECR-repo-name:image-tag"
• I am calling awsCodeBuild inside "withAWS" as its shown below.

BUILD_CONTAINER_UNABLE_TO_PULL_IMAGE: Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/myrepo/codebuild-ansible, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::131992011433

                      withAWS(region: "${region}", role: "${buildRole}", roleAccount: "${buildAccount}") {
                            echo ("caller identity within withAWS: ")
                            sh "aws sts get-caller-identity"

                            sh "aws ecr get-login --no-include-email --region ${region}"

                            try {
                            // Initially anything inside "awsCodeBuild...." runs as jenkins-build-buildrole1-BuildCodeBuildRole1
                            cbResult = awsCodeBuild projectName: "${repoName}",
                                sourceControlType: 'project',
                                credentialsType: 'keys',
                                region: "${region}",
                                envVariables: "[ { assume_role_arn, arn:aws:iam::${devAccount}:role/jenkins-build-deployrole1-DeployCodeBuildRole1 }, { AWS_DEFAULT_REGION, ${region} }, {repoName, ${repoName} }, {app_version,${app_version} } ]",
                                sourceTypeOverride: 'S3',
                                sourceLocationOverride: "${sourceLocation}/${artifactName}",
                                // To use a Docker image in your Amazon ECR repository, the image ID format should be: account-ID.dkr.ecr.region.amazonaws.com/your-Amazon-ECR-repo-name:image-tag.                           
                                imageOverride: "${ansibleImage}",
                                buildSpecFile: "buildspec_deployment.yml"
                            } catch (Exception cbEx) {
                                cbResult = cbEx.getCodeBuildResult()
                            }
                        }

Added the following policy in my build role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ManageAllECR",
            "Effect": "Allow",
            "Action": "ecr:*",
            "Resource": "arn:aws:ecr:REGION:ACCOUNT_ID:repository/*"
        }
    ]
}

[ErmanB]

I found the reason, and I'm writing here too in case anyone else faces same issue. I had to give permission to CodeBuild Service in Amazon ECR repository rather than adding policy to my build role. It successfully override custom image in CodeBuild agent after this.

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"CodeBuildAccessPrincipal",
      "Effect":"Allow",
      "Principal":{
        "Service":"codebuild.amazonaws.com"
      },
      "Action":[
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    },
    {
      "Sid":"CodeBuildAccessCrossAccount",
      "Effect":"Allow",
      "Principal":{
        "AWS":"arn:aws:iam::<AWS-account-ID>:root"
      },
      "Action":[
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability"
      ]
    }
  ]
}

Reference: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html