Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pushing multiple tags to Amazon ECR

See original GitHub issue

Troubleshooting

Before sumbitting a bug report please read the Troubleshooting doc.

Behaviour

I’d like to push an image with multiple tags to our ECR.

Steps to reproduce this issue

Expected behaviour

The built docker image should be pushed to our Amazon ECR.

Actual behaviour

If using full registry as a tag:

- name: Build & Push image
  uses: docker/build-push-action@v2
  env:
    DOCKER_BUILDKIT: 1
  with:
    context: .
    file: ./Dockerfile
    push: true
    cache-from: type=local,src=/tmp/.buildx-cache
    cache-to: type=local,dest=/tmp/.buildx-cache
    tags: |
    repo:${{ github.sha }}
    repo:latest

I get this error:

#28 ERROR: server message: insufficient_scope: authorization failed
1294
------
1295
 > exporting to image:
1296
------
1297
failed to solve: rpc error: code = Unknown desc = server message: insufficient_scope: authorization failed
1298
Error: The process '/usr/bin/docker' failed with exit code 1

With full registry:

- name: Build & Push image
  uses: docker/build-push-action@v2
  env:
    DOCKER_BUILDKIT: 1
  with:
    context: .
    file: ./Dockerfile
    push: true
    cache-from: type=local,src=/tmp/.buildx-cache
    cache-to: type=local,dest=/tmp/.buildx-cache
    tags: |
      000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:${{ github.sha }}
      000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:latest

Gave me this error

#28 ERROR: unexpected status: 401 Unauthorized
1301
------
1302
 > exporting to image:
1303
------
1304
failed to solve: rpc error: code = Unknown desc = unexpected status: 401 Unauthorized
1305
Error: The process '/usr/bin/docker' failed with exit code 1

I believe the errors were reversed when I didn’t use driver-opts: image=moby/buildkit:master

Configuration

- name: Login to ECR
  uses: docker/login-action@v1
  with:
    registry: 000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com
    username: ${{ secrets.AWS_ACCESS_KEY_ID }}
    password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Set up Docker Buildx
  uses: docker/setup-buildx-action@v1
  with:
    driver-opts: image=moby/buildkit:master

- name: Cache Docker layers
  uses: actions/cache@v2
  with:
    path: /tmp/.buildx-cache
    key: ${{ runner.os }}-buildx-${{ github.sha }}
    restore-keys: |
      ${{ runner.os }}-buildx-

- name: Build & Push image
  uses: docker/build-push-action@v2
  env:
    DOCKER_BUILDKIT: 1
  with:
    context: .
    file: ./Dockerfile
    push: true
    cache-from: type=local,src=/tmp/.buildx-cache
    cache-to: type=local,dest=/tmp/.buildx-cache
    tags: |
    repo:${{ github.sha }}
    repo:latest

Alternate tags with full registry:

- name: Build & Push image
  uses: docker/build-push-action@v2
  env:
    DOCKER_BUILDKIT: 1
  with:
    context: .
    file: ./Dockerfile
    push: true
    cache-from: type=local,src=/tmp/.buildx-cache
    cache-to: type=local,dest=/tmp/.buildx-cache
    tags: |
      000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:${{ github.sha }}
      000000000000.dkr.ecr.nn-nnnn-1.amazonaws.com/repo:latest

Logs

Excluding logs because this is a private repo and I don’t have time right now to strip secrets.

Referencing #20 so people can see a link if they are searching.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:1
  • Comments:12 (5 by maintainers)

github_iconTop GitHub Comments

3reactions
crazy-maxcommented, Oct 7, 2020

@michaelhelmick Ok I’ve mode some tests on my own and everything looks good to me.

From what I see, your policy won’t be able to push on a registry (missing InitiateLayerUpload, UploadLayerPart, CompleteLayerUpload, PutImage).

Here is my policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "*"
        }
    ]
}

Workflow: https://github.com/crazy-max/test-docker-action/blob/89fa31b4a81e9ac5458494ae6efe3e1314d0d0bc/.github/workflows/ecr.yml

name: ecr

on:
  push:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2.3.1
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@master
        with:
          platforms: all
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@master
      -
        name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      -
        name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_ID }}
          password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      -
        name: Build and push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          push: true
          tags: |
            ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/test-docker-action:latest
            ${{ secrets.AWS_ACCOUNT_NUMBER }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/test-docker-action:1.0.0

And result: https://github.com/crazy-max/test-docker-action/runs/1222130192?check_suite_focus=true#step:7:76

image

image

1reaction
michaelhelmickcommented, Oct 7, 2020

@crazy-max, I updated our deploy policy to be less strict

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecs:DiscoverPollEndpoint",
                "ecr:CreateRepository",
                "ecs:CreateCluster",
                "ecr:GetAuthorizationToken",
                "ecs:DeleteService",
                "ecs:DescribeTaskDefinition",
                "ecs:ListServices",
                "ecs:DeregisterTaskDefinition",
                "ecs:UpdateService",
                "iam:PassRole",
                "ecs:CreateService",
                "ecs:ListTaskDefinitionFamilies",
                "ecs:RegisterTaskDefinition",
                "ecs:DescribeServices",
                "ecs:ListTaskDefinitions",
                "ecs:ListClusters"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": [
                "arn:aws:ecs:*:*:task-definition/*:*",
                "arn:aws:ecs:*:*:task/*",
                "arn:aws:ecs:*:*:container-instance/*",
                "arn:aws:ecs:*:*:cluster/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "ecr:*",
                "cloudtrail:LookupEvents"
            ],
            "Resource": "*"
        }
    ]
}

This currently works using:

aws-actions/amazon-ecr-login@v1 uses env vars that are set for key/secret

- name: Login to Amazon ECR
   id: login-ecr
   uses: aws-actions/amazon-ecr-login@v1

- name: Build, tag, and push image to Amazon ECR
  env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    ECR_REPOSITORY: repo
    IMAGE_TAG: ${{ github.sha }}
  run: |
    docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
    docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
Read more comments on GitHub >

github_iconTop Results From Across the Web

Tagging a private repository - Amazon ECR
Working with tags using the console · From the navigation bar, select the region to use. · In the navigation pane, choose Repositories....
Read more >
Uploading an image to ECR with multiple tags : r/aws - Reddit
I'm trying to do the following , but no matter what I do I won't see both tags , only the latest one....
Read more >
How to push multiple tags with ECR push pipelines
I am trying to push multiple Tags with pipe: atlassian/aws-ecr-push-image:0.1.2 i need something like TAG: '${BITBUCKET_BUILD_NUMBER}:latest'
Read more >
docker - Is it possible for image to have multiple tags?
You can build an image with several tags and then push the image with the --all-tags option. Example: docker build -t reg/user/image:foo -t ......
Read more >
How to Build and Push Docker Images to AWS ECR
We will create a Docker image of the project, push it to AWS ECR, ... This gives your image a name tag which...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Build from Dockerfile in subdirectory

Next page

Examples don't work as expected