Skip to content

Docker image building with Github Actions (Repository ZIP + S3 ZIP)

Notifications You must be signed in to change notification settings

nullforu/docker-image-builder

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

  • 로컬에서 도커 이미지 빌드하면 CPU/메모리 부하가 심하게 걸려서(특히 멀티 아키텍처) 작성해둔 AWS ECR에 이미지를 빌드해서 푸시하는 Github Actions 워크플로우임
  • 퍼블릭 레포지토리 한정 Actions 러너 무제한 무료이니 후배님들 Fork 하거나 Clone 하셔서 알아서 잘 쓰시면 됩니당~~

GitHub Actions OIDC with AWS ECR

AWS OIDC Provider

image

  • Provider URL: https://token.actions.githubusercontent.com
  • Audience: sts.amazonaws.com

image

IAM Role (ECR)

  • Role Name: GitHubActionsECRRole

A) Web Identity

image

B) Custom Trust Policy

  • Role Type: Custom trust policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:<ORG>/<REPO>:ref:refs/heads/main"
                }
            }
        }
    ]
}
  • REPO should be replaced with *(wildcard) if you want to allow all Github repositories.

IAM Policy (ECR)

  • Policy Name: GitHubActionsECRPolicy (or GithubActionsImageBuilderPolicy)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRAuth",
            "Effect": "Allow",
            "Action": ["ecr:GetAuthorizationToken"],
            "Resource": "*"
        },
        {
            "Sid": "ECRPushPull",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "arn:aws:ecr:<AWS_REGION>:<ACCOUNT_ID>:repository/<ECR_REPOSITORY>"
        },
        {
            "Sid": "S3ReadObject",
            "Effect": "Allow",
            "Action": ["s3:GetObject"],
            "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
        }
    ]
}
  • ECR_REPOSITORY should be replaced with *(wildcard) if you want to allow all ECR repositories.
  • BUCKET_NAME should be replaced with the name of the S3 bucket where your Github repository ZIP file is stored. If you don't use S3, you can omit the S3 permissions. (only builder-s3.yaml workflow uses S3)

IAM Role Policy Attachment

image

Github Repository Secrets

  • AWS_REGION: ap-northeast-2
  • AWS_ACCOUNT_ID: <ACCOUNT_ID>
  • AWS_ROLE_NAME: GitHubActionsECRRole

How to Use

images

image

About

Docker image building with Github Actions (Repository ZIP + S3 ZIP)

Topics

Resources

Stars

Watchers

Forks