I am trying to setup my multiple repos in Gitlab to do:
- upon merge into develop branch, the CI/CD builds that branch then creates a tagged Docker image as ‘qa’
- pushes the ‘qa’ Docker image to my AWS ECR
- upon merge into master branch, the CI/CD builds that branch then creates a tagged Docker image as ‘prod’
- pushes the ‘prod’ Docker image to my AWS ECR
I have the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (unprotected) variables set up in the first repo (unprotected). In IAM this user has AmazonEC2ContainerRegistryPowerUser permissions
I have a ’ .gitlab-ci.yml file in my current develop branch, and the project and variables are unprotected.
variables:
DOCKER_REGISTRY: xxxxx.dkr.ecr.us-east-2.amazonaws.com
AWS_DEFAULT_REGION: us-east-2
APP_NAME: api-gateway
DOCKER_HOST: tcp://docker:2375
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
publish:
stage: build
image:
name: docker:latest
services:
- docker:19-dind
before_script:
- apk add --no-cache curl jq python3 py3-pip
- pip install awscli
- aws ecr get-login-password | docker login --username ecr_user --password-stdin $DOCKER_REGISTRY
- aws --version
- docker info
- docker --version
script:
- docker build -t $DOCKER_REGISTRY/$APP_NAME:$CI_PIPELINE_IID .
- docker push $DOCKER_REGISTRY/$APP_NAME:$CI_PIPELINE_IID
when I run the pipeline for the develop branch, the build appears to work but the login to AWS fails:
$ aws ecr get-login-password | docker login --username ecr_user --password-stdin $DOCKER_REGISTRY
Error response from daemon: login attempt to https://xxxxxxx.dkr.ecr.us-east-2.amazonaws.com/v2/ failed with status: 401 Unauthorized
I realize that is a lot - but two problems
- why is this push to AWS ECR failing>
- how do I get the branch build to tag it properly?