Learn how to resolve the issue of failed access to an Amazon ECR repository by using the aws ecr get-login-password command and the docker login command.
Table of Contents
Question
A company builds a container image in an AWS CodeBuild project by running Docker commands. After the container image is built, the CodeBuild project uploads the container image to an Amazon S3 bucket. The CodeBuild project has an IAM service role that has permissions to access the S3 bucket.
A DevOps engineer needs to replace the S3 bucket with an Amazon Elastic Container Registry (Amazon ECR) repository to store the container images. The DevOps engineer creates an ECR private image repository in the same AWS Region of the CodeBuild project. The DevOps engineer adjusts the IAM service role with the permissions that are necessary to work with the new ECR repository. The DevOps engineer also places new repository information into the docker build command and the docker push command that are used in the buildspec.yml file.
When the CodeBuild project runs a build job, the job fails when the job tries to access the ECR repository.
Which solution will resolve the issue of failed access to the ECR repository?
A. Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentication token. Update the docker login command to use the authentication token to access the ECR repository.
B. Add an environment variable of type SECRETS_MANAGER to the CodeBuild project. In the environment variable, include the ARN of the CodeBuild project’s IAM service role. Update the buildspec.yml file to use the new environment variable to log in with the docker login command to access the ECR repository.
C. Update the ECR repository to be a public image repository. Add an ECR repository policy that allows the IAM service role to have access.
D. Update the buildspec.yml file to use the AWS CLI to assume the IAM service role for ECR operations. Add an ECR repository policy that allows the IAM service role to have access.
Answer
A. Update the buildspec.yml file to log in to the ECR repository by using the aws ecr get-login-password AWS CLI command to obtain an authentication token. Update the docker login command to use the authentication token to access the ECR repository.
Explanation
The CodeBuild project needs to authenticate to the ECR registry before it can push the container image. This can be done by using the aws ecr get-login-password command to obtain an authentication token and then using the docker login command to access the ECR repository.
Option A is the correct solution because it provides the necessary steps to authenticate to the ECR registry and push the container image.
Option B is not correct because environment variables cannot be used to assume IAM roles.
Option C is not correct because making the ECR repository public is not necessary and not recommended for security reasons.
Option D is not correct because assuming IAM roles with the AWS CLI is not necessary and not recommended for this scenario.
Amazon AWS Certified DevOps Engineer – Professional DOP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified DevOps Engineer – Professional DOP-C02 exam and earn Amazon AWS Certified DevOps Engineer – Professional DOP-C02 certification.