1

I've created a docker image using AWS SageMaker and am now trying to push said image to ECR. When I do docker push ${fullname} it retries a couple of times and then errors.

In CloudTrail I can see that I'm getting an access denied error with message:

"User: arn:aws:sts::xxxxxxxxxx:assumed-role/AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx/SageMaker is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-x:xxxxxxxxxx:repository/image because no identity-based policy allows the ecr:InitiateLayerUpload action"

I have full permissions, but from the error message above it thinks the user is SageMaker and not me.

How do I change the user? I'm guessing that's the problem.

sam.hay
  • 77
  • 1
  • 6
  • Does this answer your question? [Trying to BUILD & PUSH 'tfrecord-processing' Docker image AWS - User denied](https://stackoverflow.com/questions/66999402/trying-to-build-push-tfrecord-processing-docker-image-aws-user-denied) – MyStackRunnethOver Jul 18 '22 at 17:24
  • This question: was more along the lines of what I was looking for, thanks! https://stackoverflow.com/questions/50669991/aws-sagemaker-is-not-authorized-to-perform-ecrcreaterepository-on-resource/50684081#50684081 – sam.hay Jul 19 '22 at 18:07

1 Answers1

0

When you're running commands from SageMaker, you're executing them as the SageMaker execution role, instead of your role. There are two options -

  1. [Straighforward solution] Add ecr:InitiateLayerUpload permissions to the AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx role
  2. Assume a different role using sts (in that case, AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx needs to have permissions to assume your Admin role) and then run docker push command.
durga_sury
  • 869
  • 4
  • 6