Closed spu-xb01 closed 4 months ago
ECR authentication can be added in a stage prior to the Inspector stage, see example below:
stage('ecr auth') {
steps {
sh '/usr/local/bin/aws ecr get-login-password --region us-east-1 | /usr/local/bin/docker login --username AWS --password-stdin xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com'
}
}
@cjbaco this does not work
As far as I understand, you need to somehow record the execution of this command in
credentialId: ''
credentialId only applies to image repositories where you can authenticate via username and passwords, like dockerhub. For ECR, you authenticate via the command cjbaco posted. Here's a full declarative script that I ran to test this, keep in mind I've changed some sensitive information so youll have to edit it to suit your use case.
pipeline {
agent any
stages {
stage('Docker Auth') {
steps {
sh '/usr/local/bin/aws ecr get-login-password --region us-east-1 | /usr/local/bin/docker login --username AWS --password-stdin USERID.dkr.ecr.us-east-1.amazonaws.com'
}
}
stage('amazon-inspector-image-scanner') {
steps {
script {
step([
$class: 'com.amazon.inspector.jenkins.amazoninspectorbuildstep.AmazonInspectorBuilder',
sbomgenPath: '/Users/user/Downloads/inspector-sbomgen',
artifactPath: 'USERID.dkr.ecr.us-east-1.amazonaws.com/test:latest',
archiveType: 'container',
awsRegion: 'us-east-1',
credentialId: null,
awsCredentialId: 'CREDENTAIL_ID',
iamRole: 'arn:aws:iam::USERID:role/CICDScan',
oicdCredentialId: '',
awsProfileName: 'default',
isThresholdEnabled: false,
countCritical: 0,
countHigh: 0,
countLow: 10,
countMedium: 5,
])
}
}
}
}
}
And here's the output when I ran the above script:
Started by user unknown or anonymous
[Pipeline] Start of Pipeline (hide)
[Pipeline] node
Running on Jenkins in /Users/user/.jenkins/workspace/Declarative
[Pipeline] {
[Pipeline] stage
[Pipeline] { (Docker Auth)
[Pipeline] sh
+ /usr/local/bin/aws ecr get-login-password --region us-east-1
+ /usr/local/bin/docker login --username AWS --password-stdin USERID.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /Users/user/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (amazon-inspector-image-scanner)
[Pipeline] script
[Pipeline] {
[Pipeline] step
WARNING: Unknown parameter(s) found for class type 'com.amazon.inspector.jenkins.amazoninspectorbuildstep.AmazonInspectorBuilder': oicdCredentialId
Credential ID is null, this is not normal, please check your config. Continuing without docker credentials.
No credential provided, running without.
Making downloaded SBOMGen executable...
Running command...
[/Users/user/Downloads/inspector-sbomgen, container, --image, USERID.dkr.ecr.us-east-1.amazonaws.com/test:latest]
Sending SBOM to Inspector for validation with info: credential:credentialid, role:arn:aws:iam::USERID:role/CICDScan, profile:default
Authenticating to STS via a role and default credential provider chain.
Converting SBOM Results to CSV.
Build Artifacts: http://localhost:8080/job/Declarative/75/display/redirect?page=artifacts
Results: Critical: 0, High: 1, Medium: 4, Low: 0, Other: 3
Ignoring results due to thresholds being disabled.
Does Build Pass: true
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
Additionally, keep in mind that jenkins doesn't know where docker and aws are so you'll have to provide absolute paths to their binaries.
@waltwilo thanks for the help
Describe your use-case which is not covered by existing documentation.
https://docs.aws.amazon.com/inspector/latest/user/cicd-jenkins.html
I have a test pipeline, I'm trying to execute it and when doing so I encounter an authorization error
but the command for authorization in the ecr looks like
aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin ххххххххх.dkr.ecr.us-east-1.amazonaws.com
If I use this command in the previous steps, the command works as expected but there is no access to the imageHow to integrate ECR login for this plugin using the IAM role? I didn't find anything in the documentation
Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.
No response
Are you interested in contributing to the documentation?
No response