Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Best practices on pulling official images? #686

Open
myedibleenso opened this issue Oct 7, 2024 · 0 comments
Open

Best practices on pulling official images? #686

myedibleenso opened this issue Oct 7, 2024 · 0 comments

Comments

@myedibleenso
Copy link

Hi. Thank you for this action. I am looking for advice on best practices for pulling ECR images published by amazon (for example, the AWS DLC images). I'm sorry if this is the wrong place to ask such questions.

Here is a GH workflows YAML snippet to illustrate what I mean:

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-west-2

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v2

    # this fails with 'no basic auth credentials'.  What is the recommended practice?
    - name: Pull AWS ECR image
      id: pull-ecr-image
      run: |
        docker pull 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2

I've tried many variations of the pull-ecr-image step shown above. Things I wouldn't expect to be necessary in this case like aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2 && docker pull 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2 work just fine locally, but fail on GH Actions:

Error response from daemon: pull access denied for 763104351884.dkr.ecr..amazonaws.com/pytorch-inference, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::REDACTED is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr::763104351884:repository/pytorch-inference because no identity-based policy allows the ecr:BatchGetImage action

This is after explicitly associating Allow ecr:BatchGetImage for the arn:aws:ecr:us-west-2:763104351884:repository/amazonaws.com/pytorch-inference resource with the IAM being used here (which I wouldn't expect to be necessary anyway). If I try ecr:BatchGetImage for the same IAM and ARN in the policysim, I have no issues.

Any advice would be appreciated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@myedibleenso and others