AWS CodeBuild
User Guide (API Version 2016-10-06)

The procedures in this guide support the new console design. If you choose to use the older version of the console, you will find many of the concepts and basic procedures in this guide still apply. To access help in the new console, choose the information icon.

Amazon ECR Sample for AWS CodeBuild

This sample uses a Docker image in an Amazon Elastic Container Registry (Amazon ECR) image repository to build the Go Sample for AWS CodeBuild.


Running this sample may result in charges to your AWS account. These include possible charges for AWS CodeBuild and for AWS resources and actions related to Amazon S3, AWS KMS, CloudWatch Logs, and Amazon ECR. For more information, see AWS CodeBuild Pricing, Amazon S3 Pricing, AWS Key Management Service Pricing, Amazon CloudWatch Pricing, and Amazon Elastic Container Registry Pricing.

Running the Sample

To run this sample:

  1. To create and push the Docker image to your image repository in Amazon ECR, complete the steps in the Running the Sample section of the Docker Sample.

  2. To create and upload the source code to be built, complete steps 1 through 4 of the Running the Sample section of the Go Sample.

  3. Assign permissions to your image repository in Amazon ECR so that AWS CodeBuild can pull the repository's Docker image into the build environment:

    1. If you are using an IAM user instead of an AWS root account or an administrator IAM user to work with Amazon ECR, add the statement (between ### BEGIN ADDING STATEMENT HERE ### and ### END ADDING STATEMENT HERE ###) to the user (or IAM group the user is associated with). (Using an AWS root account is not recommended.) This statement enables access to managing permissions for Amazon ECR repositories. Ellipses (...) are used for brevity and to help you locate where to add the statement. Do not remove any statements, and do not type these ellipses into the policy. For more information, see Working with Inline Policies Using the AWS Management Console in the IAM User Guide.

      { "Statement": [ ### BEGIN ADDING STATEMENT HERE ### { "Action": [ "ecr:GetRepositoryPolicy", "ecr:SetRepositoryPolicy" ], "Resource": "*", "Effect": "Allow" }, ### END ADDING STATEMENT HERE ### ... ], "Version": "2012-10-17" }


      The IAM entity that modifies this policy must have permission in IAM to modify policies.

    2. Open the Amazon ECS console at

    3. Choose Repositories.

    4. In the list of repository names, choose the name of the repository you created or selected.

    5. Choose the Permissions tab, choose Add, and then create a statement.

    6. For Sid, type an identifier (for example, CodeBuildAccess).

    7. For Effect, leave Allow selected because you want to allow access to AWS CodeBuild.

    8. For Principal, type Leave Everybody cleared because you want to allow access to AWS CodeBuild only.

    9. Skip the All IAM entities list.

    10. For Action, select Pull only actions.

      All of the pull-only actions (ecr:GetDownloadUrlForLayer, ecr:BatchGetImage, and ecr:BatchCheckLayerAvailability) will be selected.

    11. Choose Save all.

      This policy will be displayed in Policy document.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "CodeBuildAccess", "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }
  4. Create a build project, run the build, and view build information by following the steps in Run AWS CodeBuild Directly.

    If you use the AWS CLI to create the build project, the JSON-formatted input to the create-project command might look similar to this. (Replace the placeholders with your own values.)

    { "name": "amazon-ecr-sample-project", "source": { "type": "S3", "location": "codebuild-region-ID-account-ID-input-bucket/" }, "artifacts": { "type": "S3", "location": "codebuild-region-ID-account-ID-output-bucket", "packaging": "ZIP", "name": "" }, "environment": { "type": "LINUX_CONTAINER", "image": "", "computeType": "BUILD_GENERAL1_SMALL" }, "serviceRole": "arn:aws:iam::account-ID:role/role-name", "encryptionKey": "arn:aws:kms:region-ID:account-ID:key/key-ID" }
  5. To get the build output artifact, open your Amazon S3 output bucket.

  6. Download the file to your local computer or instance, and then extract the contents of the file. In the extracted contents, get the hello file.

Related Resources