Pushing to Public AWS Container Registry with GitHub Actions
⚠️ This post was last updated in 2021, meaning its contents may be outdated.
I wanted to push a Docker container I use for some automation tasks to my own public container registry, because it would mean I didn't need to deal with authentication on the consuming end (since the code was public in GitHub anyway).
The Dockerfile
is at the root of my repository, and steps prior build the code (in this case it's a C# application).
IAM User
First, you need to create an IAM user and add its access key and secret as repository secrets. Here's the permission statement that the user needs:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetAuthorizationToken",
"Effect": "Allow",
"Action": [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
Amazon ECR Permissions
Each Amazon container repository has its own permissions document. In order to allow the user above to push to the repository, we must apply a permissions document that looks like this:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS account ID here>:user/<IAM user name here>"
},
"Action": [
"ecr-public:BatchCheckLayerAvailability",
"ecr-public:CompleteLayerUpload",
"ecr-public:DescribeImageTags",
"ecr-public:DescribeImages",
"ecr-public:DescribeRepositories",
"ecr-public:InitiateLayerUpload",
"ecr-public:ListImages",
"ecr-public:PutImage",
"ecr-public:UploadLayerPart"
]
}
]
}
This is added to the "Permissions" section in the console (a WYSIWYG editor is also available):
GitHub Actions
Here's the important step to authenticate against AWS:
- name: Login to Public ECR
uses: docker/login-action@v1
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
And to push the container with the tag latest
and the Git commit hash:
- name: Push to ECR
env:
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t public.ecr.aws/j7m3k0v4/estbot:$IMAGE_TAG .
docker build -t public.ecr.aws/j7m3k0v4/estbot:latest .
docker push --all-tags public.ecr.aws/j7m3k0v4/estbot
Here's the full deploy script.
🏷️ container permission repository public github aws registry actions code iam secret amazon document docker automate
Please click here to load comments.