Skip to content

Instantly share code, notes, and snippets.

@iamjjanga-ouo

iamjjanga-ouo/aws_login.yml

Forked from tedivm/aws_login.yml
Last active July 16, 2024 13:59
Show Gist options
  • Save iamjjanga-ouo/41e13519addfac59eb5649bda8b50825 to your computer and use it in GitHub Desktop.
Save iamjjanga-ouo/41e13519addfac59eb5649bda8b50825 to your computer and use it in GitHub Desktop.
Download ZIP
[github/github-action/aws-ecr-oidc] AWS ECR Github Actions OIDC #github-action
Raw
aws_login.yml
jobs:
deploy:
name: Push to ECR
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::999999999999:role/github-actions-${{ github.repository }}
aws-region: us-west-2
Raw
ecr-publish.yml
name: Push to ECR
on:
push:
branches: ['main']
release:
types: ['published']
jobs:
push-container:
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: "Create and Push Image"
uses: explosion/action-ecr-publish@v1
with:
aws_account_id: REGISTRY_ACCOUNT
aws_region: REGISTRY_REGION
Raw
ecr.tf
resource "aws_ecr_repository" "main" {
name = var.name
}
Raw
github_iam_policy.tf
data "aws_iam_policy_document" "github_actions" {
statement {
actions = [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
]
resources = [aws_ecr_repository.main.arn]
}
statement {
actions = [
"ecr:GetAuthorizationToken",
]
resources = ["*"]
}
}
resource "aws_iam_policy" "github_actions" {
name = "github-actions-${var.name}"
description = "Grant Github Actions the ability to push to ${var.name} from explosion/${var.name}"
policy = data.aws_iam_policy_document.github_actions.json
}
resource "aws_iam_role_policy_attachment" "github_actions" {
role = aws_iam_role.github_actions.name
policy_arn = aws_iam_policy.github_actions.arn
}
Raw
github_iam_role.tf
data "aws_iam_policy_document" "github_actions_assume_role" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [var.openid_connect_provider.arn]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = ["repo:${var.organization}/${var.name}:*"]
}
}
}
resource "aws_iam_role" "github_actions" {
name = "github-actions-${var.organization}-${var.name}"
assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role.json
}
Raw
github_oicd.tf
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
Raw
main.tf
locals {
repositories = [
"frontend_project",
"backend_project",
"random_service"
]
}
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["a031c46782e6e6c662c2c87c76da9aa62ccabd8e"]
}
module "repositories" {
for_each = toset(locals.repositories)
name = each.value
oidc_arn = aws_iam_openid_connect_provider.github.arn
}
Raw
push.yml
name: AWS ECR Push
on:
push:
branches: ['main']
release:
types: ['published']
env:
AWS_REGION: "us-west-2"
AWS_ACCOUNT_ID: "999999999999"
jobs:
deploy:
name: Push to ECR
runs-on: ubuntu-latest
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-actions-${{ github.event.repository.name }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ env.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com/${{ github.event.repository.name }}
tags: |
type=schedule,pattern=latest
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=ref,event=branch
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Raw
variables.tf
variable "name" {
description = "Name of the ECR Repository- should match the Github repo name."
type = string
}
variable "organization" {
description = "Name of the Github Organization."
type = string
default = "multi-py"
}
variable "oidc_arn" {
description = "The OpenID Connect provider ARN."
type = string
}
@iamjjanga-ouo
Copy link
Author

iamjjanga-ouo commented Apr 5, 2024
edited
Loading

Solve for this situation

To solve the issue of encountering a "403 Forbidden" error message when using buildx in GitHub Actions, where some Docker layers are not pushed, it's important to understand that the 'docker push method' reads remote layers and compares them to detect any differences. If differences are found, the image layer is then pushed. It's crucial to check that "ecr:BatchGetImage" in the IAM Policy is set correctly to enable the comparison of Docker image layers during the build process.

Check this

  • "ecr:BatchGetImage" in IAM Policy is important to compare docker image layer when image build
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment