Using Buildah to Build Docker Images In Your CodeBuild Project

Building and deploying containerised applications is a big part of modern app development. Many of the most popular CI/CD platforms use containerised runners; in this post we will focus on AWS CodeBuild. What happens when you need a secure, rootless, and daemon-free tool to build Docker containers from within a CI/CD runner container? You use Buildah. Let’s learn how!

📚 This guide is at an intermediate level difficulty. 📚

Why Use Buildah?

Buildah lets you build container images without running privileged CI/CD runners or relying on a daemon, making it a great companion for AWS CodeBuild. Why use Buildah?

Daemonless Builds: Buildah doesn’t require a background daemon. It’s simpler, leaner, and more secure.
Rootless Containers: Buildah builds securely in environments where elevated access isn’t an option.
OCI Compliance: Buildah is Open Container Initiative (OCI) compliant, so your images will work with most runtimes.
Lightweight: Light and efficient, perfect for CI/CD pipelines.

Step-by-Step Implementation

1. Configure Your CodeBuild Environment

Firstly, set up your CodeBuild project. Use a managed image like aws/codebuild/standard:6.0 or another that supports Buildah and your runtime needs. Make sure to:

Grant the service role permissions to interact with ECR.
Specify a buildspec file for your instructions.

2. Install Buildah in the Build Environment

Here’s how to install Buildah via your buildspec.yml:

phases:
  install:
    runtime-versions:
      docker: 20
    commands:
      - echo "Installing Buildah..."
      - yum -y install buildah

3. Authenticate to Amazon ECR

To push your images to ECR, you’ll need to log in first. Add this command in the pre_build phase:

pre_build:
  commands:
    - echo "Logging in to Amazon ECR..."
    - aws ecr get-login-password --region $AWS_REGION | buildah login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com

4. Build Your Image Using Buildah

Replace your Docker commands with Buildah ones in the build phase:

build:
  commands:
    - echo "Building the Docker image with Buildah..."
    - buildah bud -t $REPOSITORY_NAME:latest .

5. Push the Image to Amazon ECR

Your image is built—time to push it to ECR! Add this in the post_build phase:

post_build:
  commands:
    - echo "Pushing the Docker image to Amazon ECR..."
    - buildah push $REPOSITORY_NAME:latest docker://$ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$REPOSITORY_NAME:latest

6. Full buildspec.yaml

Here’s the whole buildspec in one place (available for download here):

Conclusion

With Buildah, we get a secure, rootless, and efficient way to build container images in AWS CodeBuild. Buildah is ideal for developers who value security without sacrificing functionality. Give Buildah a try—and if you hit any snags, get in touch and let me know! Happy building!

All code in this post can be found on my GitHub.

I’ll be posting more of these guides, going over a wide range of difficulty, so subscribe below! My newsletter sends out friendly emails when I make new posts.
Want to learn more about how I can assist you with your cloud and DevOps needs? Visit my homepage to get in touch and let’s find out how I can support your next project!

Share the Post:

AWS Secrets and Configuration Provider (ASCP) for Kubernetes

In this post, we’ll explore how to use AWS Secrets and Configuration Provider (ASCP) to seamlessly access secrets stored in Secrets Manager from your EKS pods.
📚 intermediate lvl difficulty 📚

Running Terraform in an Air-Gapped Environment – Part 2

In this post, we’ll focus on running Terraform in an air-gapped AWS environment and using VPCE’s for secure communication with AWS services without relying on internet connectivity. (2/2)
📚 Beginner level difficulty 📚