Bitbucket Pipeline for Docker Image Deployment to AWS ECR

tothemoon
  November 1, 2024
Tutorial 
   403 Words  2 mins  

Automating Docker Image Deployment to AWS ECR with Bitbucket Pipelines

This pipeline automates the build and deployment process of Docker images to AWS Elastic Container Registry (ECR) using Bitbucket Pipelines. By integrating with AWS, this setup streamlines continuous delivery, ensuring that Docker images are consistently built, tagged, and securely pushed to ECR, ready for deployment in a scalable environment.

Diagram

The diagram illustrates a Bitbucket pipeline setup for deploying Docker images to AWS Elastic Container Registry (ECR).

  1. Pipeline.yaml - Contains the Bitbucket pipeline configuration script, defining steps for building, testing, and deploying the Docker image.
  2. Dockerfile - Specifies the instructions for building the Docker image.
  3. Bitbucket - The repository where the source code and pipeline configuration reside.
  4. Bitbucket Pipeline - Executes the pipeline steps as defined in Pipeline.yaml.
  5. AWS ECR - The target registry where the Docker image is pushed and stored after deployment.

Create a Repo in AWS ECR

  1. Navigate to AWS ECR
  1. Create a repository
  1. Memorise the URI(need set permission for this repo)

Create a docker image which contains all the env your project needed

In my case, the environment I need includes Python 3.10.3, along with the packages boto3 (for AWS), os, json, and yaml.

To Retrieve OpenID Connect (OIDC) information in Bitbucket

  1. Navigate to Bitbucket [Repository Settings]
  2. Click [OpenID Connect], Memorises Identity provider URL and Audience

Set up an IAM role and assign permissions to allow pulling and retrieving Docker images

Create Identity Provider

  1. Navigate to AWS IAM
  2. Create Identity Provider, copy paste the Provider URL and Audience. Then [Add provider]

Create IMA Role

  1. Navigate to AWS IAM
  2. Click [Create Role]
  1. Assign permissions
  1. After finish the creation, Navigate to this role’s detail page, Click [Add Permissions]

Here is the yaml file looks like, Resource should be ECR URI

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ReadRepositoryContents",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": "arn:aws:ecr:us-east-1:URI"
        }
    ]
}

Write a pipeline to upload docker image to AWS ECR

  1. Navigate to bitbucket
  2. Click [Deployments], setup AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY which should download from IAM created before.

and what the code of pipeline, very simple

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

options:
  docker: true

pipelines:
  default:
    - step:
        services:
          - docker
        caches:
          - docker
        name: Build and Push Docker Image to ECR
        script:
          # Push the Docker image to Amazon ECR
          - docker build -t $ECR_IMAGE_NAME:$BITBUCKET_COMMIT -f ./Dockerfile .
          - pipe: atlassian/aws-ecr-push-image:2.4.2
            variables:
              AWS_ACCESS_KEY_ID: "$AWS_ACCESS_KEY_ID" 
              AWS_SECRET_ACCESS_KEY: "$AWS_SECRET_ACCESS_KEY" 
              AWS_DEFAULT_REGION: "$AWS_REGION" 
              IMAGE_NAME: "$ECR_IMAGE_NAME"

Ref

https://support.atlassian.com/bitbucket-cloud/docs/use-aws-ecr-images-in-pipelines-with-openid-connect/