AWS DevOps Blog
How to Use Cross-Account ECR Images in AWS CodeBuild for Your Build Environment
AWS CodeBuild now makes it possible for you to access Docker images from any Amazon Elastic Container Registry repository in another account as the build environment. With this feature, AWS CodeBuild allows you to pull any image from a repository to which you have been granted resource-level permissions.
In this blog post, we will show you how to provision a build environment using an image from another AWS account.
Here is a quick overview of the services used in our example:
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. It provides a fully preconfigured build platform for most popular programming languages and build tools, including Apache Maven, Gradle, and more.
Amazon Elastic ECR is a fully managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.
We will use a sample Docker image in an Amazon ECR image repository in AWS account B. The CodeBuild project in AWS account A will pull the images from the Amazon ECR image repository in AWS account B.
Prerequisites:
To get started you need:
· Two AWS accounts (AWS account A and AWS account B).
· In AWS account A, an image registry in Amazon ECR. In AWS account B, images that you would like to use for your build environment. If you do not have an image registry and a sample image, see Docker Sample in the AWS CodeBuild User Guide.
· In AWS account A, an AWS CodeCommit repository with a buildspec.yml file and sample code.
· Using the following steps, permissions in your Amazon ECR image repository for AWS CodeBuild to pull the repository’s Docker image into the build environment.
To grant CodeBuild permissions to pull the Docker image into the build environment
1. Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.
2. Choose the name of the repository you created.
3. On the Permissions tab, choose Edit JSON policy.
4. Apply the following policy and save.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CodeBuildAccess",
"Effect": "Allow",
"Principal": {
"AWS": "<arn of the service role>"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}
To use an image from account B and set up a build project in account A
1. Open the AWS CodeBuild console at https://console.aws.amazon.com/codesuite/codebuild/home.
2. Choose Create project.
3. In Project configuration, enter a name and description for the build project.
4. In Source, for Source provider, choose the source code provider type. In this example, we use the AWS CodeCommit repository name.
5. For Environment, we will pull the Docker image from AWS account B and use the image to create the build environment to build artifacts. To configure the build environment, choose Custom Image. For Image registry, choose Amazon ECR. For ECR account, choose Other ECR account.
6. In Amazon ECR repository URI, enter the URI for the image repository from AWS account B and then choose Create build project.
7. Go to the build project you just created, and choose Start build. The build execution will download the source code from the AWS CodeCommit repository and provision the build environment using the image retrieved from the image registry.
Next steps
Now that you have seen how to use cross-account ECR images, you can integrate a build step in AWS CodePipeline and use the build environment to create artifacts and deploy your application. To integrate a build step in your pipeline, see Working with Deployments in AWS CodeDeploy in the AWS CodeDeploy User Guide
If you have any feedback, please leave it in the Comments section below. If you have questions, please start a thread on the AWS CodeBuild forum or contact AWS Support.