amazon-iamamazon-sagemakeramazon-ecrdocker-push

AccessDenied error when pushing docker image from SageMaker to ECR


I've created a docker image using AWS SageMaker and am now trying to push said image to ECR. When I do docker push ${fullname} it retries a couple of times and then errors.

In CloudTrail I can see that I'm getting an access denied error with message:

"User: arn:aws:sts::xxxxxxxxxx:assumed-role/AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx/SageMaker is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-x:xxxxxxxxxx:repository/image because no identity-based policy allows the ecr:InitiateLayerUpload action"

I have full permissions, but from the error message above it thinks the user is SageMaker and not me.

How do I change the user? I'm guessing that's the problem.


Solution

  • When you're running commands from SageMaker, you're executing them as the SageMaker execution role, instead of your role. There are two options -

    1. [Straighforward solution] Add ecr:InitiateLayerUpload permissions to the AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx role
    2. Assume a different role using sts (in that case, AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx needs to have permissions to assume your Admin role) and then run docker push command.