I currently have an issue to push the Docker image generated by Jib to ECR when the project is build in my CI.
Locally everything works fine, the command mvn clean install -DskipTests -Pdocker, builds the image corresponding to the app and pushed it to the ECR. Credentials are managed by amazon-ecr-credential-helper, the docker daemon is available locally, everything works like a charm.
The configuration of the Jib plugin contains the following configuration :
<executions>
<execution>
<id>install</id>
<phase>install</phase>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
The following configuration is used in the .gitlab.yml :
build backend:
image: maven:3.8.6-amazoncorretto-17
stage: build
tags:
- runner-docker
script:
- cd backend
- mvn clean install -DskipTests -Pdocker
The code is compiled but the following error message is displayed :
[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.3.0:build (package) on project standalone: Build image failed, perhaps you should make sure your credentials for '123456.ecr.eu-west-1.amazonaws.com/my-project/backend' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for 123456.ecr.eu-west-1.amazonaws.com/my-project/backend: 401 Unauthorized -> [Help 1]
Jib cannot connect to ECR because no credential is specified.
Updating the job configuration script to the following, doesn't help :
mvn clean install -DskipTests -Pdocker \
-Djib.to.auth.username=$AWS_SECRET_KEY \
-Djib.to.auth.password=$AWS_SECRET_PASSWORD
Any advice on how I can push to ECR directly from my build job? I've tried to install amazon-ecr-credential-helper on the VM hosting the Gitlab runner but without success. I've also tried in the container of the runner itself, same result.
The credentials are stored in Gitlab and I'd prefer to keep them there rather than spreading them everywhere.
