AWS CodeBuild
User Guide (API Version 2016-10-06)

Amazon ECR Sample for CodeBuild

This sample uses a Docker image in an Amazon Elastic Container Registry (Amazon ECR) image repository to build a sample Go project.

Important

Running this sample may result in charges to your AWS account. These include possible charges for AWS CodeBuild and for AWS resources and actions related to Amazon S3, AWS KMS, CloudWatch Logs, and Amazon ECR. For more information, see CodeBuild Pricing, Amazon S3 Pricing, AWS Key Management Service Pricing, Amazon CloudWatch Pricing, and Amazon Elastic Container Registry Pricing.

Running the Sample

To run this sample:

  1. To create and push the Docker image to your image repository in Amazon ECR, complete the steps in the Running the Sample section of the Docker Sample.

  2. Create a Go project:

    1. Create the files as described in the Go Project Structure and Go Project Files sections of this topic, and then upload them to an Amazon S3 input bucket or an AWS CodeCommit, GitHub, or Bitbucket repository.

      Important

      Do not upload (root directory name), just the files inside of (root directory name).

      If you are using an Amazon S3 input bucket, be sure to create a ZIP file that contains the files, and then upload it to the input bucket. Do not add (root directory name) to the ZIP file, just the files inside of (root directory name).

    2. Create a build project, run the build, and view related build information by following the steps in Run AWS CodeBuild Directly.

      If you use the AWS CLI to create the build project, the JSON-formatted input to thecreate-project command might look similar to this. (Replace the placeholders with your own values.)

      { "name": "sample-go-project", "source": { "type": "S3", "location": "codebuild-region-ID-account-ID-input-bucket/GoSample.zip" }, "artifacts": { "type": "S3", "location": "codebuild-region-ID-account-ID-output-bucket", "packaging": "ZIP", "name": "GoOutputArtifact.zip" }, "environment": { "type": "LINUX_CONTAINER", "image": "aws/codebuild/golang:1.7.3", "computeType": "BUILD_GENERAL1_SMALL" }, "serviceRole": "arn:aws:iam::account-ID:role/role-name", "encryptionKey": "arn:aws:kms:region-ID:account-ID:key/key-ID" }
    3. To get the build output artifact, open your Amazon S3 output bucket.

    4. Download the GoOutputArtifact.zip file to your local computer or instance, and then extract the contents of the file. In the extracted contents, get the hello file.

  3. If one of the following is true, you must add permissions to your image repository in Amazon ECR so that AWS CodeBuild can pull its Docker image into the build environment.

    • Your project uses CodeBuild credentials to pull Amazon ECR images. This is denoted by a value of CODEBUILD in the imagePullCredentialsType attribute of your ProjectEnvironment.

    • Your project uses a cross-account Amazon ECR image. In this case, your project must use its service role to pull Amazon ECR images. To enable this behavior, set the imagePullCredentialsType attribute of your ProjectEnvironment to SERVICE_ROLE.

    1. Open the Amazon ECS console at https://console.aws.amazon.com/ecs/.

    2. Choose Repositories.

    3. In the list of repository names, choose the name of the repository you created or selected.

    4. Choose the Permissions tab, choose Add, and then create a statement.

    5. For Sid, enter an identifier (for example, CodeBuildAccess).

    6. For Effect, leave Allow selected. This indicates that you want to allow access to another AWS account.

    7. For Principal, do one of the following:

      • If your project uses CodeBuild credentials to pull an Amazon ECR image, enter codebuild.amazonaws.com.

      • If your project uses a cross-account Amazon ECR image, enter arn:aws:iam::AWS-account-ID):root, where AWS-account-ID is the account that you want to give access.

    8. Skip the All IAM entities list.

    9. For Action, select Pull only actions.

      All of the pull-only actions (ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:BatchCheckLayerAvailability) will be selected.

    10. Choose Save all.

      This policy is displayed in Policy document. The principal is what you entered for Principal in step 3g of this procedure:

      • If your project uses CodeBuild credentials to pull an Amazon ECR image, it is "Service": "codebuild.amazonaws.com".

      • If your project uses a cross-account Amazon ECR image, it is "AWS": "arn:aws:iam::AWS-account-ID):root", where AWS-account-ID is the account that you want to give access.

        The following sample policy uses a cross-account Amazon ECR image.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "CodeBuildAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AWS-account-ID:root" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }
  4. Create a build project, run the build, and view build information by following the steps in Run AWS CodeBuild Directly.

    If you use the AWS CLI to create the build project, the JSON-formatted input to the create-project command might look similar to this. (Replace the placeholders with your own values.)

    { "name": "amazon-ecr-sample-project", "source": { "type": "S3", "location": "codebuild-region-ID-account-ID-input-bucket/GoSample.zip" }, "artifacts": { "type": "S3", "location": "codebuild-region-ID-account-ID-output-bucket", "packaging": "ZIP", "name": "GoOutputArtifact.zip" }, "environment": { "type": "LINUX_CONTAINER", "image": "account-ID.dkr.ecr.region-ID.amazonaws.com/your-Amazon-ECR-repo-name:latest", "computeType": "BUILD_GENERAL1_SMALL" }, "serviceRole": "arn:aws:iam::account-ID:role/role-name", "encryptionKey": "arn:aws:kms:region-ID:account-ID:key/key-ID" }
  5. To get the build output artifact, open your Amazon S3 output bucket.

  6. Download the GoOutputArtifact.zip file to your local computer or instance, and then extract the contents of the GoOutputArtifact.zip file. In the extracted contents, get the hello file.

Go Project Structure

This sample assumes this directory structure.

(root directory name) |-- buildspec.yml `-- hello.go

Go Project Files

This sample uses these files.

buildspec.yml (in (root directory name))

version: 0.2 phases: build: commands: - echo Build started on `date` - echo Compiling the Go code... - go build hello.go post_build: commands: - echo Build completed on `date` artifacts: files: - hello

hello.go (in (root directory name))

package main import "fmt" func main() { fmt.Println("hello world") fmt.Println("1+1 =", 1+1) fmt.Println("7.0/3.0 =", 7.0/3.0) fmt.Println(true && false) fmt.Println(true || false) fmt.Println(!true) }

Related Resources