Pushing multiple tags to Amazon ECR #166
Comments
If you don't specify the registry in your tag it will try to push to DockerHub (default if not defined). See https://docs.docker.com/engine/reference/commandline/tag/
Looks like permission scope is not enough (no tag pushed from the few log you give me). Are you able to push to the registry from your computer? See Amazon ECR Managed Policies |
|
@crazy-max, I updated our deploy policy to be less strict This currently works using:
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: repo
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG |
|
@michaelhelmick Ok I've mode some tests on my own and everything looks good to me. From what I see, your policy won't be able to push on a registry (missing InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload, PutImage). Here is my policy: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}name: ecr
on:
push:
jobs:
build:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v2.3.1
-
name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@master
-
name: Available platforms
run: echo ${{ steps.buildx.outputs.platforms }}
-
name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-
name: Build and push
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
push: true
tags: |
${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/test-docker-action:latest
${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/test-docker-action:1.0.0And result: https://github.com/crazy-max/test-docker-action/runs/1222130192?check_suite_focus=true#step:7:76
|
|
I've added those: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecs:DiscoverPollEndpoint",
"ecr:CreateRepository",
"ecs:CreateCluster",
"ecr:GetAuthorizationToken",
"ecs:DeleteService",
"ecs:DescribeTaskDefinition",
"ecs:ListServices",
"ecs:DeregisterTaskDefinition",
"ecs:UpdateService",
"iam:PassRole",
"ecs:CreateService",
"ecs:ListTaskDefinitionFamilies",
"ecs:RegisterTaskDefinition",
"ecs:DescribeServices",
"ecs:ListTaskDefinitions",
"ecs:ListClusters"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecs:*",
"Resource": [
"arn:aws:ecs:*:*:task-definition/*:*",
"arn:aws:ecs:*:*:task/*",
"arn:aws:ecs:*:*:container-instance/*",
"arn:aws:ecs:*:*:cluster/*"
]
}
]
}
and am still getting: :( Do I need that |
|
Update: Even with QEMU, same error. |
Not required as your image is for the current platform (linux/amd64).
Can you temporarily try with my policy to make sure it's not an issue with the action please? Thanks. |
|
@crazy-max I added it anyways just in case and left it in there for now. I replaced my entire policy with yours and still got the following. Unsure if there's anything more verbose I can grab? |
Can you show me your entire workflow please?
Follow the troubleshooting guide ( |
|
Just the deploy: deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v2
- name: Unzip
run: unzip -o ./file.zip
- uses: actions/cache@v2
id: cache-pip
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('./requirements/test.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install Python Dependencies
run: pip install -r ./requirements/test.txt
- name: Static
run: make github-static
- name: Set Staging Environment Variables
uses: allenevans/set-env@v1.0.0
with:
AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
if: |
github.event_name == 'pull_request'
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: nn-nnnn-n
- name: Upload to S3
shell: bash
run: aws s3 sync dir s3://dir
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: 00000000000.dkr.ecr.nn-nnnn-n.amazonaws.com
username: ${{ env.AWS_ACCESS_KEY_ID }}
password: ${{ env.AWS_SECRET_ACCESS_KEY }}
- name: Create Sentry Release
env:
SENTRY_ORG: org
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
run: |
curl -sL https://sentry.io/get-cli/ | bash
...
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
with:
driver-opts: image=moby/buildkit:master
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build & Push image
uses: docker/build-push-action@v2
env:
DOCKER_BUILDKIT: 1
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: repo
with:
context: .
file: ./Dockerfile
push: true
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
tags: |
0000000000.dkr.ecr.nn-nnnn-n.amazonaws.com/repo:${{ github.sha }}
0000000000.dkr.ecr.nn-nnnn-n.amazonaws.com/repo:latest
- name: Deploy > Web
run: ecs service update
- name: Logout of Amazon ECR
if: always()
run: docker logout ${{ steps.login-ecr.outputs.registry }}Will set flags in a bit |
|
Could Edit: Editing to 1.0.0 didn't help. |
|
@michaelhelmick You have mixed up authentication methods
- name: Logout of Amazon ECR
if: always()
run: docker logout ${{ steps.login-ecr.outputs.registry }}Remove this step, logout is already triggered by I am closing this issue because it seems that it does not come from this action as I demonstrated above but feel free to leave a message here when you have applied the pre-requisites suggested by AWS. |
|
FWIW, I was pushing to the wrong registry (my account number was for a different environment). Sorry, for all the trouble! |
Troubleshooting
Before sumbitting a bug report please read the Troubleshooting doc.
Behaviour
I'd like to push an image with multiple tags to our ECR.
Steps to reproduce this issue
Expected behaviour
The built docker image should be pushed to our Amazon ECR.
Actual behaviour
If using full registry as a tag:
I get this error:
With full registry:
Gave me this error
I believe the errors were reversed when I didn't use
driver-opts: image=moby/buildkit:masterConfiguration
Alternate
tagswith full registry:Logs
Excluding logs because this is a private repo and I don't have time right now to strip secrets.
Referencing #20 so people can see a link if they are searching.
The text was updated successfully, but these errors were encountered: