Hi! So I was working on a Docker image and I wanted to create a GitHub action to build and deploy it to a public AWS repository.

Following some examples, on GitHub, I was able to build the image, but the push to AWS failed with the classic "Unauthorized" message.

So what was wrong? Just a couple of things:

1. The IAM policy did not include the sts:GetServiceBearerToken permission, hence the authentication issue.
2. To login to AWS I was using amazon-ecr-login, an action from AWS, which was designed for private registries only. Fortunately, the login-action from Docker supports ECR public and I was able to fix it.
3. AWS ECR public is available only on us-east-1. Authentication to other regions won't succeed.

It took me some time to figure this out, so I might just write it down to make sure I won't waste time in the future 🙈.

name: Build and push

on:
  push:
    branches:
      - 'main'

jobs:
  docker:
    runs-on: ubuntu-20.04
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Login to Amazon ECR
        uses: docker/login-action@v1
        with:
          registry: public.ecr.aws
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        env:
          AWS_REGION: us-east-1

      - name: Build and push
        uses: docker/build-push-action@v2
        with:
          push: true
          tags: public.ecr.aws/your-alias/your-repo:your-tag

See you soon, Francesco 👋