For AWS CodeBuild, you can use project or user access tokens for authenticating your build with Depot. We recommend using project tokens as they are scoped to the specific project and are owned by the organization.
You can inject project access tokens into the CodeBuild environment for depot CLI authentication. Project tokens are tied to a specific project in your organization and not a user.
You can inject a user access token into the CodeBuild environment for depot CLI authentication. User tokens are tied to a specific user and not a project. Therefore, it can be used to build all projects across all organizations which the user has access.
To build a Docker image from AWS CodeBuild, you must set the DEPOT_TOKEN environment variable by injecting it from Secrets Manager. Note that you also need to grant your IAM service role for CodeBuild permission to access the secret.
{
'Version': '2012-10-17',
'Statement':
[
{
'Sid': 'Statement1',
'Effect': 'Allow',
'Action': 'secretsmanager:GetSecretValue',
'Resource': '<arn-of-your-project-token-in-secrets-manager>',
},
],
}With a project or user token stored in Secrets Manager, you can add the DEPOT_TOKEN environment variable to your buildspec.yml file, install the depot CLI, and run depot build to build your Docker image. The following example shows the configuration steps when using the EC2 compute type.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
phases:
pre_build:
commands:
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
build:
commands:
- depot build .The CodeBuild Lambda compute type requires installing the depot CLI in a different directory that is in the $PATH by default. The following example shows the configuration steps when using the Lambda compute type.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
phases:
pre_build:
commands:
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/tmp/codebuild/bin" sh
build:
commands:
- depot build .Note: The CodeBuild Lambda compute type does not support privileged mode. Therefore, you cannot use the --load flag to load the image back into the Docker daemon as there is no Docker daemon running in the Lambda environment.
This example shows how you can use the --platform flag to build a multi-platform image for Intel and Arm architectures natively without emulation.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
phases:
pre_build:
commands:
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
build:
commands:
- depot build --platform linux/amd64,linux/arm64 .This example demonstrates building and pushing a Docker image to AWS ECR from AWS CodeBuild via Depot.
Note that you need to grant your IAM service role for CodeBuild permission to access the ECR repository by adding the following statement to its IAM policy:
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*",
"Effect": "Allow"
}When using the EC2 compute type in CodeBuild, you can login to your ECR registry with docker login via the documented methods provided by ECR. To access docker login, you must make sure that you're CodeBuild environment is configured with Privileged mode turned on.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
phases:
pre_build:
commands:
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
- echo Logging in to Amazon ECR...
- aws ecr get-login-password --region <your-aws-region> | docker login --username AWS --password-stdin <your-ecr-registry>
build:
commands:
- depot build -t <your-ecr-registry>:<your-tag> --push .You can build a Docker image with the Lambda compute type in CodeBuild and push it to ECR without using the docker login command by writing the Docker authentication file yourself at $HOME/.docker/config.json and use the --push flag. Note that you can't load the image back into the Docker daemon with the Lambda compute type.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<your-project-token-secrets-manager-arn>'
phases:
pre_build:
commands:
- ecr_stdin=$(aws ecr get-login-password --region <your-ecr-region>)
- registry_auth=$(printf "AWS:$ecr_stdin" | openssl base64 -A)
- mkdir $HOME/.docker
- echo "{\"auths\":{\"<your-registry-url>\":{\"auth\":\"$registry_auth\"}}}" > $HOME/.docker/config.json
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/tmp/codebuild/bin" sh
build:
commands:
- depot build -t <your-ecr-registry-url>:latest --push .You can download the built container image into the workflow using the --load flag.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
phases:
pre_build:
commands:
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
build:
commands:
- depot build --load .You can simultaneously push the built image to a registry and load it back into the CI job using the --load and --push flags together.
version: 0.2
env:
secrets-manager:
DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
phases:
pre_build:
commands:
- echo Installing Depot CLI...
- curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
- echo Logging in to Amazon ECR...
- aws ecr get-login-password --region <your-aws-region> | docker login --username AWS --password-stdin <your-ecr-registry>
build:
commands:
- depot build -t <your-ecr-registry>:<your-tag> --push --load .