- 로컬에서 도커 이미지 빌드하면 CPU/메모리 부하가 심하게 걸려서(특히 멀티 아키텍처) 작성해둔 AWS ECR에 이미지를 빌드해서 푸시하는 Github Actions 워크플로우임
- 퍼블릭 레포지토리 한정 Actions 러너 무제한 무료이니 후배님들 Fork 하거나 Clone 하셔서 알아서 잘 쓰시면 됩니당~~
- Provider URL:
https://token.actions.githubusercontent.com - Audience:
sts.amazonaws.com
- Role Name:
GitHubActionsECRRole
- Role Type:
Custom trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<ORG>/<REPO>:ref:refs/heads/main"
}
}
}
]
}REPOshould be replaced with*(wildcard) if you want to allow all Github repositories.
- Policy Name:
GitHubActionsECRPolicy(orGithubActionsImageBuilderPolicy)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRAuth",
"Effect": "Allow",
"Action": ["ecr:GetAuthorizationToken"],
"Resource": "*"
},
{
"Sid": "ECRPushPull",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:<AWS_REGION>:<ACCOUNT_ID>:repository/<ECR_REPOSITORY>"
},
{
"Sid": "S3ReadObject",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
}
]
}ECR_REPOSITORYshould be replaced with*(wildcard) if you want to allow all ECR repositories.BUCKET_NAMEshould be replaced with the name of the S3 bucket where your Github repository ZIP file is stored. If you don't use S3, you can omit the S3 permissions. (onlybuilder-s3.yamlworkflow uses S3)
AWS_REGION:ap-northeast-2AWS_ACCOUNT_ID:<ACCOUNT_ID>AWS_ROLE_NAME:GitHubActionsECRRole
