i configured a .yml in order to build, increment tag, cache & push the image to ECR.
unfortunately i get 403 forbidden error which should be related to IAM privileges.
This is the error log i am getting.
#13 exporting to image
#13 pushing layers 37.6s done
#13 pushing manifest for ***.dkr.ecr.***.amazonaws.com/ocr:v1@sha256:0fdf68b85ecb6ada3348ec2d1e07fc797056118912f9d2e09fd09b92e1014654
#13 pushing manifest for ***.dkr.ecr.***.amazonaws.com/ocr:v1@sha256:0fdf68b85ecb6ada3348ec2d1e07fc797056118912f9d2e09fd09b92e1014654 0.2s done
#13 ERROR: failed to push ***.dkr.ecr.***.amazonaws.com/ocr:v1: unexpected status from HEAD request to https://***.dkr.ecr.***.amazonaws.com/v2/ocr/manifests/sha256:87f55201ab9885311c1b88b03d27aaaa587aac9b19588b3bd5b2a65d18170891: 403 Forbidden
------
> exporting to image:
------
WARNING: local cache import at /tmp/.buildx-cache not found due to err: could not read /tmp/.buildx-cache/index.json: open /tmp/.buildx-cache/index.json: no such file or directory
ERROR: failed to solve: failed to push ***.dkr.ecr.***.amazonaws.com/ocr:v1: unexpected status from HEAD request to https://***.dkr.ecr.***.amazonaws.com/v2/ocr/manifests/sha256:87f55201ab9885311c1b88b03d27aaaa587aac9b19588b3bd5b2a65d18170891: 403 Forbidden
Error: buildx failed with: ERROR: failed to solve: failed to push ***.dkr.ecr.***.amazonaws.com/ocr:v1: unexpected status from HEAD request to https://***.dkr.ecr.***.amazonaws.com/v2/ocr/manifests/sha256:87f55201ab9885311c1b88b03d27aaaa587aac9b19588b3bd5b2a65d18170891: 403 Forbidden
These are my privileges on IAM.
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
And here's complete workflow file
#Configured Ci/Cd for ocr repo.
#reads aws creds from github secrets, builds tags, pushes images to 'ocr' and caches image to repo 'ocr/cache'
#it defaults to latest tag used in github tag command
#to increment version simply use 'git tag -a v(n) -m 'message' 'git push origin 'tag''
# Define the name of the GitHub Actions workflow
name: Build and Push Docker Image
# Specify when the workflow should be triggered
on:
push:
branches:
- master # This workflow triggers on push events to the main branch
# Define the jobs to be run by this workflow
jobs:
build-and-push:
# Specify the type of virtual host machine to run the job.
runs-on: ubuntu-latest # Use the latest Ubuntu runner
# Define the steps of the job
steps:
- name: Checkout code
# Use the checkout action to clone your repository code into the GitHub Actions runner
uses: actions/checkout@v3
- name: Set up Docker Buildx
# Initializes and sets up Docker Buildx to enable advanced build capabilities like building multi-platform images
uses: docker/setup-buildx-action@master
id: buildx # Assign an ID to this step to reference its outputs later
- name: Cache Docker layers
# Caches Docker build layers to speed up subsequent builds by reusing layers.
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache # Path to store the build cache
key: ${{ runner.os }}-buildx-${{ github.sha }} # Unique key for the cache
restore-keys: |
${{ runner.os }}-buildx- # Fallback keys to restore cache from
- name: Login to Amazon ECR
# Logs in to Amazon ECR to allow pushing images
uses: aws-actions/amazon-ecr-login@v2
env:
AWS_REGION: ${{ secrets.AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} # Your AWS Access Key ID
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} # Your AWS Secret Access Key
- name: Fetch the latest tag from ECR
# Custom script to determine the next tag version by fetching the latest tag and incrementing it
id: latest-tag
run: |
LATEST_TAG=$(aws ecr describe-images --repository-name ocr --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]' --output text)
echo "Latest tag is $LATEST_TAG"
if [[ $LATEST_TAG =~ ^v([0-9]+)$ ]]; then
NEW_TAG=$((BASH_REMATCH[1] + 1))
echo "::set-output name=tag::v$NEW_TAG"
else
echo "::set-output name=tag::v1" # Default to v1 if no valid tag is found
fi
env:
AWS_REGION: ${{ secrets.AWS_REGION }} # Replace with your AWS region
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} # Your AWS Access Key ID
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} # Your AWS Secret Access Key
- name: Build and Push Docker image
# Builds the Docker image using Buildx and pushes it to the specified ECR repository with the new tag
uses: docker/build-push-action@v5
with:
context: . # Path to the Docker build context
builder: ${{ steps.buildx.outputs.name }} # Use the Buildx builder instance created earlier
push: true # Enable pushing the built image to a registry
tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ secrets.AWS_REGION }}.amazonaws.com/ocr:${{ steps.latest-tag.outputs.tag }} # Tag the image
cache-from: type=local,src=/tmp/.buildx-cache # Use cache from previous builds
cache-to: type=local,dest=/tmp/.buildx-cache-new # Store new cache
- name: Move cache
# Manages the build cache by cleaning up and preparing for the next build.
run: |
rm -rf /tmp/.buildx-cache # Remove the old cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache # Rename the new cache
i have tried building the image and pushing manually using docker build with the same credentials and the push was successful.