Search code examples
dockergithubgithub-actionsamazon-ecr

Github Docker Container Action from ECR

I want to create a github action that uses a docker image from a private ECR repository.

here is the simplified action definition.

action.yaml

name: 'ECR Image Action'
description: '-'
runs:
  using: 'docker'
  image: '00000000000.dkr.ecr.eu-central-1.amazonaws.com/user/image:tag'

workflow.yaml

  [...]

  - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      aws-region: 'eu-central-1'

  - name: Login to Amazon ECR
    uses: aws-actions/amazon-ecr-login@v1

  - name: Private Action
    uses: user/private-action@v1

  [...]

the problem is, that github does not recognize the ECR login when it tries to pull the image from ECR.

Unable to find image '00000000000.dkr.ecr.eu-central-1.amazonaws.com/user/image:tag' locally
docker: Error response from daemon: Head "https://***.dkr.ecr.eu-central-1.amazonaws.com/v2/user/image/manifests/latest": no basic auth credentials.

so far the only way I found to workaround this issue is to have the action in the same repository as the workflow and manually pull the image before running the docker container action.

  - name: Pull action image
    run: docker pull 00000000000.dkr.ecr.eu-central-1.amazonaws.com/user/image:tag

  - name: Private Action
    uses: ./.github/actions/private-action

the docker pull command successfully uses the credentials from the aws-actions. the downside with this solution is that it only works if the action is in the same repository as the workflow. when the action.yaml is in it's own action repository (which also builds and pushes the docker action image to ECR) then github does not even try to use the image that has been pulled manually, but when setting up the job, it will internally try to pull all images for the docker container actions in the workflow. and here again it runs into the no basic auth error.

Is it possible at all to use an action repository with a docker container action that pulls the image from ECR, and how do you pass the credentials in this scenario?

Solution

  • Well, again answering my own question: It is not officially supported to use a Docker Container Action with an image from any private registry.

    The only way is the workaround which I already described in the question: You simply login on your private registry and pull the image so that it exists in the action runner's local registry. When you then run the action relying on that image, it simply picks the local one.