Q28 — AWS DOP-C02 Ch.2
Question 28 of 100 | ← Chapter 2
A company builds container images in an AWS CodeBuild project by running Docker commands. After building the container image, the CodeBuild project uploads the image to an Amazon S3 bucket. The CodeBuild project uses an IAM service role with permissions to access the S3 bucket. A DevOps engineer needs to replace the S3 bucket with an Amazon Elastic Container Registry (Amazon ECR) repository to store container images. The DevOps engineer creates a private ECR image repository in the same AWS Region as the CodeBuild project. The DevOps engineer updates the IAM service role with permissions required to use the new ECR repository. The DevOps engineer also updates the `buildspec.yml` file to use the new ECR repository in the `docker build` and `docker push` commands. When the CodeBuild project runs a build job, the job fails when attempting to access the ECR repository.
- A. Update the `buildspec.yml` file to use the `aws ecr get-login-password` AWS CLI command to authenticate to the ECR repository and retrieve an authentication token. Update the `docker login` command to use this token to access the ECR repository. ✓
- B. Add an environment variable of type SECRETS_MANAGER to the CodeBuild project. Include the ARN of the CodeBuild project’s IAM service role in the environment variable. Update the `buildspec.yml` file to use the new environment variable with the `docker login` command to access the ECR repository.
- C. Update the ECR repository to be a public image repository. Add an ECR repository policy that grants access to the IAM service role.
- D. Update the `buildspec.yml` file to use the AWS CLI to assume the IAM service role for ECR operations. Add an ECR repository policy that grants access to the IAM service role.
Correct Answer: A. Update the `buildspec.yml` file to use the `aws ecr get-login-password` AWS CLI command to authenticate to the ECR repository and retrieve an authentication token. Update the `docker login` command to use this token to access the ECR repository.
Explanation
The Docker client requires authentication before interacting with Amazon ECR. AWS documentation specifies using `aws ecr get-login-password` to obtain a temporary authentication token, followed by `docker login` to complete authentication. Correct `buildspec.yml` configuration must include both steps. Option A implements this exact flow and resolves the authentication failure. Option B incorrectly uses Secrets Manager to store a role ARN—which is not a credential—and adds unnecessary complexity. Option C violates security best practices by making the repository public. Option D is redundant because the CodeBuild service role is already assumed and attached with required permissions; assuming it again is unnecessary.