TIL #0: how to push Docker images on AWS ECR public with GitHub Actions
Hi! So I was working on a Docker image and I wanted to create a GitHub action to build and deploy it to a public AWS repository.
Following some examples, on GitHub, I was able to build the image, but the push to AWS failed with the classic "Unauthorized" message.
So what was wrong? Just a couple of things:
- The IAM policy did not include the
sts:GetServiceBearerToken
permission, hence the authentication issue. - To login to AWS I was using amazon-ecr-login, an action from AWS, which was designed for private registries only. Fortunately, the login-action from Docker supports ECR public and I was able to fix it.
- AWS ECR public is available only on us-east-1. Authentication to other regions won't succeed.
It took me some time to figure this out, so I might just write it down to make sure I won't waste time in the future ๐.
name: Build and push
on:
push:
branches:
- 'main'
jobs:
docker:
runs-on: ubuntu-20.04
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Login to Amazon ECR
uses: docker/login-action@v1
with:
registry: public.ecr.aws
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
env:
AWS_REGION: us-east-1
- name: Build and push
uses: docker/build-push-action@v2
with:
push: true
tags: public.ecr.aws/your-alias/your-repo:your-tag
See you soon, Francesco ๐
ย