We use cookies to understand how people use Depot.
Depot
Sign InStart for free
Container Builds

AWS CodeBuild

Authentication

For AWS CodeBuild, you can use project or user access tokens for authenticating your build with Depot. We recommend using project tokens as they are scoped to the specific project and are owned by the organization.

Project token

You can inject project access tokens into the CodeBuild environment for depot CLI authentication. Project tokens are tied to a specific project in your organization and not a user.

User access token

You can inject a user access token into the CodeBuild environment for depot CLI authentication. User tokens are tied to a specific user and not a project. Therefore, it can be used to build all projects across all organizations which the user has access.

Configuration

To build a Docker image from AWS CodeBuild, you must set the DEPOT_TOKEN environment variable by injecting it from Secrets Manager. Note that you also need to grant your IAM service role for CodeBuild permission to access the secret.

{
  'Version': '2012-10-17',
  'Statement':
    [
      {
        'Sid': 'Statement1',
        'Effect': 'Allow',
        'Action': 'secretsmanager:GetSecretValue',
        'Resource': '<arn-of-your-project-token-in-secrets-manager>',
      },
    ],
}

CodeBuild EC2 compute type

With a project or user token stored in Secrets Manager, you can add the DEPOT_TOKEN environment variable to your buildspec.yml file, install the depot CLI, and run depot build to build your Docker image. The following example shows the configuration steps when using the EC2 compute type.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
 
phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
  build:
    commands:
      - depot build .

CodeBuild Lambda compute type

The CodeBuild Lambda compute type requires installing the depot CLI in a different directory that is in the $PATH by default. The following example shows the configuration steps when using the Lambda compute type.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
 
phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/tmp/codebuild/bin" sh
  build:
    commands:
      - depot build .

Note: The CodeBuild Lambda compute type does not support privileged mode. Therefore, you cannot use the --load flag to load the image back into the Docker daemon as there is no Docker daemon running in the Lambda environment.

Examples

Build multi-platform images natively without emulation

This example shows how you can use the --platform flag to build a multi-platform image for Intel and Arm architectures natively without emulation.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
 
phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
  build:
    commands:
      - depot build --platform linux/amd64,linux/arm64 .

Build and push to AWS ECR

This example demonstrates building and pushing a Docker image to AWS ECR from AWS CodeBuild via Depot.

Note that you need to grant your IAM service role for CodeBuild permission to access the ECR repository by adding the following statement to its IAM policy:

{
  "Action": [
    "ecr:BatchCheckLayerAvailability",
    "ecr:CompleteLayerUpload",
    "ecr:GetAuthorizationToken",
    "ecr:InitiateLayerUpload",
    "ecr:PutImage",
    "ecr:UploadLayerPart"
  ],
  "Resource": "*",
  "Effect": "Allow"
}

Logging into ECR with the EC2 compute type

When using the EC2 compute type in CodeBuild, you can login to your ECR registry with docker login via the documented methods provided by ECR. To access docker login, you must make sure that you're CodeBuild environment is configured with Privileged mode turned on.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
 
phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region <your-aws-region> | docker login --username AWS --password-stdin <your-ecr-registry>
  build:
    commands:
      - depot build -t <your-ecr-registry>:<your-tag> --push .

Logging into ECR with the Lambda compute type

You can build a Docker image with the Lambda compute type in CodeBuild and push it to ECR without using the docker login command by writing the Docker authentication file yourself at $HOME/.docker/config.json and use the --push flag. Note that you can't load the image back into the Docker daemon with the Lambda compute type.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<your-project-token-secrets-manager-arn>'
 
phases:
  pre_build:
    commands:
      - ecr_stdin=$(aws ecr get-login-password --region <your-ecr-region>)
      - registry_auth=$(printf "AWS:$ecr_stdin" | openssl base64 -A)
      - mkdir $HOME/.docker
      - echo "{\"auths\":{\"<your-registry-url>\":{\"auth\":\"$registry_auth\"}}}" > $HOME/.docker/config.json
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/tmp/codebuild/bin" sh
  build:
    commands:
      - depot build -t <your-ecr-registry-url>:latest --push .

Obtaining an authenticated Docker config.json

Alternatively, you can copy a pre-configured, authenticated config.json by logging into the Docker registry and copying the config.json file.

$ docker login -u your-username
Password: <type your password>
 
$ cat ~/.docker/config.json

You can now copy the contents of the config.json file and use it in your CodeBuild configuration.

Build and load the image back for testing

You can download the built container image into the workflow using the --load flag.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
 
phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
  build:
    commands:
      - depot build --load .

Build, push, and load the image back in one command

You can simultaneously push the built image to a registry and load it back into the CI job using the --load and --push flags together.

version: 0.2
 
env:
  secrets-manager:
    DEPOT_TOKEN: '<arn-of-your-project-token-in-secrets-manager>'
 
phases:
  pre_build:
    commands:
      - echo Installing Depot CLI...
      - curl -L https://depot.dev/install-cli.sh | DEPOT_INSTALL_DIR="/usr/local/bin" sh
      - echo Logging in to Amazon ECR...
      - aws ecr get-login-password --region <your-aws-region> | docker login --username AWS --password-stdin <your-ecr-registry>
  build:
    commands:
      - depot build -t <your-ecr-registry>:<your-tag> --push --load .