Skip to main content
Welcome back. In this lesson you’ll create and commit a buildspec.yml that builds a Docker image with CodeBuild and pushes it to Amazon ECR. We’ll cover a recommended, minimal buildspec, explain the important lines, show how to commit the file from Cloud9, and how to verify the commit in CodeCommit. Prerequisites
  • An ECR repository already created in your AWS account.
  • A Cloud9 environment with your source repository checked out.
  • A CodeBuild project (or CodePipeline) that will use this buildspec.yml.
  • The CodeBuild environment image must support Docker and have “Privileged” mode enabled (so Docker can run inside the build container).
  • The CodeBuild service role must have permissions to interact with ECR.
Open your Cloud9 editor and the repository you want to build.
The image shows the Amazon Elastic Container Registry interface with a private repository named "cryptoproject" listed. It includes details like the repository URI, creation date, and encryption type.
Create a new file named buildspec.yml in the repository and paste the following content. This buildspec:
  • Logs in to ECR using the modern get-login-password method.
  • Computes a short commit SHA to use as an image tag.
  • Builds and tags the Docker image.
  • Pushes both latest and the commit-tagged image to ECR.
Key lines explained
  • aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
    Uses the supported way to authenticate Docker to ECR. Do not use the deprecated aws ecr get-login.
  • COMMIT_HASH=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
    CODEBUILD_RESOLVED_SOURCE_VERSION is set by CodeBuild and typically contains the full commit SHA. The cut extracts a short 7-character tag.
  • REPOSITORY_URI
    Should be provided as an environment variable in your CodeBuild project and typically looks like 123456789012.dkr.ecr.eu-central-1.amazonaws.com/cryptoproject.
  • Pushing both latest and the commit-tagged image gives you a stable latest for deployments and a traceable commit history in ECR.
Use aws ecr get-login-password with docker login --password-stdin because aws ecr get-login is deprecated and may not be available in newer AWS CLI versions.
Required environment variables and IAM permissions
Ensure the CodeBuild project runs in “Privileged” mode (required for Docker-in-Docker) and that the CodeBuild service role includes the ECR-related permissions listed above. Without these, your build will fail when attempting to build or push images.
Commit and push buildspec.yml from Cloud9
  1. Save the file (Ctrl+S or File → Save).
  2. From the Cloud9 terminal run the following commands:
Sample console output (illustrative):
Verify the commit in CodeCommit Open the CodeCommit repository in the AWS Console and confirm that buildspec.yml appears in the repository root.
The image depicts an AWS CodeCommit interface showing a repository named "aws-microservice-project." Various options and menus for developer tools are visible on the left sidebar.
Next steps
  • Create or configure a CodeBuild project (or CodePipeline) that points to this repository and has the REPOSITORY_URI, AWS_ACCOUNT_ID, and AWS_DEFAULT_REGION environment variables set.
  • Make sure the build environment supports Docker and has privileged mode enabled.
  • After a push, CodeBuild will run the buildspec.yml steps, build the Docker image, and push it to ECR.
Links and references That’s it for this lesson.

Watch Video