Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeBuild project environment should support ImagePullCredentialsType #2175

Closed
rli opened this issue Apr 3, 2019 · 0 comments · Fixed by #3049 or MechanicalRock/tech-radar#14 · May be fixed by MechanicalRock/cdk-constructs#5, MechanicalRock/cdk-constructs#6 or MechanicalRock/cdk-constructs#7
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild feature-request A feature should be added or improved.

Comments

@rli
Copy link
Contributor

rli commented Apr 3, 2019

https://docs.aws.amazon.com/codebuild/latest/APIReference/API_ProjectEnvironment.html#CodeBuild-Type-ProjectEnvironment-imagePullCredentialsType

"When you use a cross-account or private registry image, you must use SERVICE_ROLE credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD credentials."

        let buildProject = new codebuild.Project(this, 'build-project', {
            environment: {
                computeType: ComputeType.Large,
                // https://github.com/awslabs/aws-cdk/issues/1325
                buildImage: WindowsBuildImage.fromDockerHub(this.ecrImageUri.stringValue)
            },
            source: new codebuild.CodePipelineSource(),
            buildSpec: 'buildspec.yml'
        });

        (buildProject.node.findChild("Resource") as codebuild.CfnProject)
            .addPropertyOverride("Environment.ImagePullCredentialsType", "SERVICE_ROLE");
@sam-goodwin sam-goodwin added @aws-cdk/aws-codebuild Related to AWS CodeBuild feature-request A feature should be added or improved. labels Apr 11, 2019
Kaixiang-AWS added a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jun 7, 2019
…d cross-account ECR repository as build image

Fixes aws#2175
Kaixiang-AWS added a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jun 20, 2019
…d cross-account ECR repository as build image

Fixes aws#2175
Kaixiang-AWS added a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jun 25, 2019
…d cross-account ECR repository as build image

Fixes aws#2175
skinny85 pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 2, 2019
…d cross-account ECR repository as build image

Fixes aws#2175
Kaixiang-AWS added a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 3, 2019
…d cross-account ECR repository as build image

Fixes aws#2175
skinny85 pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 5, 2019
…d cross-account ECR repository as build image.

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerHub()

Fixes aws#2175
skinny85 pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 5, 2019
…d cross-account ECR repository as build image.

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerHub()

Fixes aws#2175
Kaixiang-AWS added a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 5, 2019
…d cross-account ECR repository as build image.

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()

Fixes aws#2175
skinny85 pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 6, 2019
…d cross-account ECR repository as build image.

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()

Fixes aws#2175
skinny85 pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 6, 2019
…ing build images.

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes aws#2175

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
skinny85 pushed a commit to Kaixiang-AWS/aws-cdk that referenced this issue Jul 7, 2019
…ing build images.

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes aws#2175

BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
* codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
eladb pushed a commit that referenced this issue Jul 7, 2019
…ing build images. (#3049)

When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.

It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.

Fixes #2175

BREAKING CHANGE: `LinuxBuildImage.fromDockerHub()` has been renamed to `fromDockerRegistry()` and `WindowsBuildImage.fromDockerHub()` has been renamed to `fromDockerRegistry()`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment