- Introduction
- Getting Started
- Gitpod Tutorial
- Use Cases
- Languages
- Configure
- Workspaces
- User settings
- Repositories
- Organizations
- Authentication
- Billing
- References
- .gitpod.yml
- IDEs & editors
- Integrations
- Gitpod CLI
- Gitpod API
- Gitpod URL
- Compatibility
- Enterprise
- Overview
- Setup and Preparation
- Deploying
- Configure your Gitpod Instance
- Administration
- Upgrading
- Background
- Reference
- Archive
- Help
- Contribute
- Troubleshooting
Using Private ECR Repositories for Workspace Images
Note: When using a private image in combination with
gp validate
, you’ll need to authenticate against the private registry in your workspace. See below for an example of how to setup and authenticate using OIDC.
This is because
gp validate
emulates a workspace start using the Docker daemon running in your workspace. To prevent unintended security repercussions, the credentials used during workspace start are not automatically made available in the workspace.
Authenticating Enterprise with a Private ECR Repository
Navigate to the AWS account where the target ECR repository is located.
Modify the target ECR repositories resource policy (repositories > permissions) with the following entry:
json{ "Version": "2012-10-17", "Statement": [ { "Sid": "Gitpod Access", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<your-gitpod-enterprise-aws-account-id>:root" ] } } ] }
How to use an Image from a Private ECR Repository in a .gitpod.yml
File
Ensure you’ve followed the authentication steps from the section above.
In your
.gitpod.yml
file, directly reference the private ECR image:ymlimage: <aws-ecr-url-prefix>.amazonaws.com/<your-image-name:tag>
How to use an Image from a Private ECR Repository in Combination with Custom Dockerfiles
Ensure you’ve followed the authentication steps from the section above.
In your project repository, create a Dockerfile that references your private ECR image:
dockerfileFROM <aws-ecr-url-prefix>.amazonaws.com/<your-image-name:tag> # Add your customizations here
In your
.gitpod.yml
file, reference the Dockerfile:ymlimage: file: Dockerfile
Ensure that your image and Dockerfile adhere to the same requirements described here.
Use OIDC with a Private ECR Repository for gp validate
Setup an Identity Provider
Ensure an Identity Provider (IDP) is setup in IAM in the account hosting the Private ECR Repository for Gitpod Enterprise.
Note: IDP has connectivity requirements. Gitpod Enterprise can be configured to expose Gitpod services publicly.
Setup IAM in the account hosting the Private ECR Repo
The Role you create must have specific Permissions to allow developers to pull from the Private ECR Repo. The Trust Relationship is flexible.
- The Permissions should look similar to:
json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:BatchCheckLayerAvailability" ], "Resource": "arn:aws:ecr:<*-or-your-ecr-repo-aws-region>:<your-aws-account-id-hosting-the-ecr-repo>:repository/<the-ecr-repo-name>" }, { "Effect": "Allow", "Action": ["ecr:GetAuthorizationToken"], "Resource": "*" } ] }
- The Trust relationships should look similar to the below, except the Conditions may vary depending on your needs:
json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<your-gitpod-enterprise-aws-account-id>:oidc-provider/services.<your-gitpod-enterprise-cell-name>.gitpod.cloud/idp" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "services.<your-gitpod-enterprise-cell-name>.gitpod.cloud/idp:aud": "sts.amazonaws.com" }, "StringLikeIfExists": { "services.<your-gitpod-enterprise-cell-name>.gitpod.cloud/idp:sub": [ "https://<your-vcs-host>/<your-git-org>/<your-git-repo>/tree/*", "referrer:jetbrains-gateway:*/https://<your-vcs-host>/<your-git-org>/<your-git-repo>/tree/*" ] } } } ] }
- The above condition restricts role usage to a single repo and all branches.
- Refer to AWS documentation if you require a more complicated set of Conditions.
Persist the ARN of the Role you’ve configured somewhere where developers can access it from a Gitpod Workspace.
- For example, you could persist it in a Repository Environment Variable.
At this point, the new role is ready to be assumed by developers.
Use OIDC to log into the Private ECR Repository
Ensure you’ve followed the steps above to setup an IAM Identity Provider and Role.
Ensure the AWS CLI is installed for your Gitpod Workspace.
Assume the role
bash# get temporary credentials using OIDC gp idp login aws --role-arn "$ROLE_ARN" # log into docker using the temporary credentials aws ecr get-login-password --region "AWS_REGION" | docker login --username AWS --password-stdin "$ECR_REGISTRY" 1>/dev/null 2>&1 # for test purposes, you may verify the credentials like so aws sts get-caller-identity
At this point, you should be able to
gp validate