You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi. Thank you for this action. I am looking for advice on best practices for pulling ECR images published by amazon (for example, the AWS DLC images). I'm sorry if this is the wrong place to ask such questions.
Here is a GH workflows YAML snippet to illustrate what I mean:
- name: Configure AWS credentialsuses: aws-actions/configure-aws-credentials@v4with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}aws-region: us-west-2
- name: Login to Amazon ECRid: login-ecruses: aws-actions/amazon-ecr-login@v2# this fails with 'no basic auth credentials'. What is the recommended practice?
- name: Pull AWS ECR imageid: pull-ecr-imagerun: | docker pull 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2
I've tried many variations of the pull-ecr-image step shown above. Things I wouldn't expect to be necessary in this case like aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2 && docker pull 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2 work just fine locally, but fail on GH Actions:
Error response from daemon: pull access denied for 763104351884.dkr.ecr..amazonaws.com/pytorch-inference, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::REDACTED is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr::763104351884:repository/pytorch-inference because no identity-based policy allows the ecr:BatchGetImage action
This is after explicitly associating Allowecr:BatchGetImage for the arn:aws:ecr:us-west-2:763104351884:repository/amazonaws.com/pytorch-inference resource with the IAM being used here (which I wouldn't expect to be necessary anyway). If I try ecr:BatchGetImage for the same IAM and ARN in the policysim, I have no issues.
Any advice would be appreciated.
The text was updated successfully, but these errors were encountered:
and others
Hi. Thank you for this action. I am looking for advice on best practices for pulling ECR images published by amazon (for example, the AWS DLC images). I'm sorry if this is the wrong place to ask such questions.
Here is a GH workflows YAML snippet to illustrate what I mean:
I've tried many variations of the
pull-ecr-imagestep shown above. Things I wouldn't expect to be necessary in this case likeaws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2 && docker pull 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.4.0-gpu-py311-cu124-ubuntu22.04-ec2work just fine locally, but fail on GH Actions:This is after explicitly associating
Allowecr:BatchGetImagefor thearn:aws:ecr:us-west-2:763104351884:repository/amazonaws.com/pytorch-inferenceresource with the IAM being used here (which I wouldn't expect to be necessary anyway). If I tryecr:BatchGetImagefor the same IAM and ARN in the policysim, I have no issues.Any advice would be appreciated.
The text was updated successfully, but these errors were encountered: