Pushing to Public AWS Container Registry with GitHub Actions

🔖 cloud-software ⏲️ 1 minute to read

⚠️ This post was last updated in 2021, meaning its contents may be outdated.

I wanted to push a Docker container I use for some automation tasks to my own public container registry, because it would mean I didn't need to deal with authentication on the consuming end (since the code was public in GitHub anyway).

The Dockerfile is at the root of my repository, and steps prior build the code (in this case it's a C# application).

IAM User

First, you need to create an IAM user and add its access key and secret as repository secrets. Here's the permission statement that the user needs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr-public:GetAuthorizationToken",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

Amazon ECR Permissions

Each Amazon container repository has its own permissions document. In order to allow the user above to push to the repository, we must apply a permissions document that looks like this:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "new statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AWS account ID here>:user/<IAM user name here>"
      },
      "Action": [
        "ecr-public:BatchCheckLayerAvailability",
        "ecr-public:CompleteLayerUpload",
        "ecr-public:DescribeImageTags",
        "ecr-public:DescribeImages",
        "ecr-public:DescribeRepositories",
        "ecr-public:InitiateLayerUpload",
        "ecr-public:ListImages",
        "ecr-public:PutImage",
        "ecr-public:UploadLayerPart"
      ]
    }
  ]
}

This is added to the "Permissions" section in the console (a WYSIWYG editor is also available):

GitHub Actions

Here's the important step to authenticate against AWS:

    - name: Login to Public ECR
      uses: docker/login-action@v1
      with:
        registry: public.ecr.aws
        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

And to push the container with the tag latest and the Git commit hash:

    - name: Push to ECR
      env:
        IMAGE_TAG: ${{ github.sha }}
      run: |
        docker build -t public.ecr.aws/j7m3k0v4/estbot:$IMAGE_TAG .
        docker build -t public.ecr.aws/j7m3k0v4/estbot:latest .
        docker push --all-tags public.ecr.aws/j7m3k0v4/estbot

Here's the full deploy script.

🏷️ container permission repository public github aws registry actions code iam secret amazon document docker automate

⬅️ Previous post: Graphing Sensor Data from a Raspberry Pi with Grafana

➡️ Next post: Force Refresh Rocket.Chat Snap SSL Certificate via Caddy

🎲 Random post: Serving Localised Assets from S3 Using Lambda@Edge

Comments

Please click here to load comments.