GitLab runner not able to fetch AWS ECR images in the current AWS account

Question

GitLab and GitLab runners are running on the same host (I know how bad it is). There is an IAM Role attached to the EC2 on which GitLab is running.

This IAM Role gives the permission to perform some actions on multi-account ECR's.

Runners use docker as executor and assume role perfectly to push,pull images. But, if images need to be pulled/pushed to the account on which GitLab is running, it doesn't work. I first need to pull images on the GitLab host so they are accessible within the runners.

I did a small test: I manually started a container directly on the GitLab host and ran aws ecr get-login... and I was able to login on the account.

I've installed amazon-ecr-credential-helper and configured like stated in the doc.

I don't understand why runners cannot pull images from the account...

When you started the container and did your test were you running the command in the container or on the GitLab host? — Wesley Rolnick, Sep 20 '19 at 15:31
In the container directly. I didn't try to pull directly w/o login first — Kaymaz, Sep 20 '19 at 15:34

score 1 · Answer 1 · answered Feb 28 '20 at 15:17

I use this script in gitlab-ci.yml

image: docker:19.03
services:
- docker:19.03.0-dind
before_script:
- $(aws ecr get-login --no-include-email --region eu-central-1)

... and provide AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY variables into Settings/CI-CD section. Ensure your region with images is the same where are you logging in.

score 0 · Answer 2 · answered Jan 29 '20 at 07:34

This script can be used as a bootstrap script to register private Gitlab runner and configure runner to access AWS ECR. You can use Ubuntu 18 LTS AMI and launch AWS EC2 instance to host the Gitlab runner.

Attach AWS IAM role to grant EC2 instance to access AWS ECR and push-pull docker images. Also, awscli AWS configure command can be used or export AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variable.

Need to export GITLAB_RUNNER_TOKEN and AWS_REGION as variable to run the script successfully.

#!/bin/bash
set -e
apt update -y && apt install awscli make -y
curl -LJO https://gitlab-runner-downloads.s3.amazonaws.com/latest/deb/gitlab-runner_amd64.deb
dpkg -i gitlab-runner_amd64.deb
sed -i -e '/volumes/s/\["\/cache\"]/\["\/cache","\/var\/run\/docker.sock:\/var\/run\/docker.sock"]/' /etc/gitlab-runner/config.toml
curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh && usermod -aG docker gitlab-runner
gitlab-runner register \
  --non-interactive \
  --url "https://gitlab.com/" \
  --registration-token "${GITLAB_RUNNER_TOKEN}" \
  --executor "docker" \
  --docker-image "docker:latest" \
  --description "gitlab-runner" \
  --tag-list "gitlab,runner,aws" \
  --run-untagged="true" \
  --locked="false" \
  --access-level="not_protected"
echo -e "export AWS_SDK_LOAD_CONFIG=true \nexport AWS_REGION=${AWS_REGION}" >> ~/.bashrc
source ~/.bashrc && mkdir ~/.docker
cat <<EOF >>~/.docker/config.json
{
  "credsStore": "ecr-login"
}
EOF
git clone https://github.com/awslabs/amazon-ecr-credential-helper.git
cd amazon-ecr-credential-helper/ && make docker
cp bin/local/docker-credential-ecr-login /usr/local/bin/
systemctl restart docker  && gitlab-runner restart
export AWS_REGION=${AWS_REGION} && docker-credential-ecr-login list

GitLab runner not able to fetch AWS ECR images in the current AWS account

2 Answers2