Fetching Concourse Docker resources from ECR

Question

I'm trying to use a Docker resource that is stored in an AWS EC2 Container service repository (ECR). Config looks like:

- name: my-docker-resource
  type: docker-image
  source:
    repository: account-id.dkr.ecr.eu-west-1.amazonaws.com/my-repo
    tag: d196e5688d
    aws_access_key_id: ((docker-aws-access-key-id))
    aws_secrey_access_key: ((docker-aws-secret-access-key))

When I run a pipeline that does get on this resource, I see "no versions available".

I tried to verify that the credentials I'm using is allowed to access the repo:

$(aws ecr get-login --no-include-email --profile concourse)
You must specify a region. You can also configure your region by running "aws configure".

So question 1: How do I tell the resource which region to use? Does it guess from the repo URL? Providing the region seems to indicate credentials have enough privileges:

$(aws ecr get-login --no-include-email --profile concourse --region eu-west-1)
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

I then try to pull the repo. Works on my machine (tm). Pipeline still says "no versions available".

I read somewhere that custom repos need to explicitly state the port, so I also tried account-id.dkr.ecr.eu-west-1.amazonaws.com:5000, but to no avail. Using that in the tag also does not work at all locally.

Any pointers?

score 1 · Answer 1 · answered Dec 29 '17 at 18:25

Two things pop out:

The concourse docker image resource has been through many changes, with some versions not working with ECR. The version of docker-image bundled with your concourse may be out of date. You can reference the latest version by declaring a custom resource type:

resource_types:
  # Override the built-in docker-image to get a recent version
  - name: latest-docker-image
    type: docker-image
    source:
      repository: concourse/docker-image-resource
      tag: latest
resources:
  - name: my-docker-resource
    type: latest-docker-image

The port is required, and it's usually 443. Try:

- name: my-docker-resource
  type: docker-image
  source:
    repository: account-id.dkr.ecr.eu-west-1.amazonaws.com:443/my-repo
    tag: d196e5688d
    aws_access_key_id: ((docker-aws-access-key-id))
    aws_secrey_access_key: ((docker-aws-secret-access-key))

score 1 · Accepted Answer · answered Jan 10 '18 at 09:27

This is working now, although I couldn't really tell you what was the source of "not working" and "working". My current configuration:

- name: ecr-repository
  type: docker-image
  source:
    repository: ((account_id)).dkr.ecr.eu-west-1.amazonaws.com/myapp
    aws_access_key_id: ((aws_access_key_id))
    aws_secret_access_key: ((aws_secret_access_key))

It's basically the same as I started with. Either I screwed up with credentials or some other context, or I was unlucky with my timing (with regards to the Docker resource image) as Phillip suggested.

Fetching Concourse Docker resources from ECR

2 Answers2