I've created a docker image using AWS SageMaker and am now trying to push said image to ECR. When I do docker push ${fullname} it retries a couple of times and then errors.
In CloudTrail I can see that I'm getting an access denied error with message:
"User: arn:aws:sts::xxxxxxxxxx:assumed-role/AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx/SageMaker is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-x:xxxxxxxxxx:repository/image because no identity-based policy allows the ecr:InitiateLayerUpload action"
I have full permissions, but from the error message above it thinks the user is SageMaker and not me.
How do I change the user? I'm guessing that's the problem.
When you're running commands from SageMaker, you're executing them as the SageMaker execution role, instead of your role. There are two options -
AmazonSageMaker-ExecutionRole-xxxxxxxxxxxx roleAmazonSageMaker-ExecutionRole-xxxxxxxxxxxx needs to have permissions to assume your Admin role) and then run docker push command.