Pushing to Public AWS Container Registry with GitHub Actions

Posted May 23rd, 2021 in cloud-software

I wanted to push a Docker container I use for some automation tasks to my own public container registry, because it would mean I didn't need to deal with authentication on the consuming end (since the code was public in GitHub anyway).

The Dockerfile is at the root of my repository, and steps prior build the code (in this case it's a C# application).

IAM User

First, you need to create an IAM user and add its access key and secret as repository secrets. Here's the permission statement that the user needs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr-public:GetAuthorizationToken",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

Amazon ECR Permissions

Each Amazon container repository has its own permissions document. In order to allow the user above to push to the repository, we must apply a permissions document that looks like this:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "new statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AWS account ID here>:user/<IAM user name here>"
      },
      "Action": [
        "ecr-public:BatchCheckLayerAvailability",
        "ecr-public:CompleteLayerUpload",
        "ecr-public:DescribeImageTags",
        "ecr-public:DescribeImages",
        "ecr-public:DescribeRepositories",
        "ecr-public:InitiateLayerUpload",
        "ecr-public:ListImages",
        "ecr-public:PutImage",
        "ecr-public:UploadLayerPart"
      ]
    }
  ]
}

This is added to the "Permissions" section in the console (a WYSIWYG editor is also available):

GitHub Actions

Here's the important step to authenticate against AWS:

    - name: Login to Public ECR
      uses: docker/login-action@v1
      with:
        registry: public.ecr.aws
        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

And to push the container with the tag latest and the Git commit hash:

    - name: Push to ECR
      env:
        IMAGE_TAG: ${{ github.sha }}
      run: |
        docker build -t public.ecr.aws/j7m3k0v4/estbot:$IMAGE_TAG .
        docker build -t public.ecr.aws/j7m3k0v4/estbot:latest .
        docker push --all-tags public.ecr.aws/j7m3k0v4/estbot

Here's the full deploy script.

Tagged container repository permissions public code github iam amazon document docker

Comments

Please click here to load comments.