IBMStockTrader / trader

UI microservice for the Stock Trader app
Apache License 2.0
24 stars 63 forks source link

Push images to Amazon ECR #22

Closed rtclauss closed 2 years ago

rtclauss commented 2 years ago

This PR adds building and pushing container image to AWS ECR. There are some important things to note.

1) This PR uses Secret Access Key and ID to authenticate with AWS ECR. This is because our account does not have a federated OIDC provider configured so we cannot use the assume-to-role authentication mechanism of the authentication mechanism. (outlined here). As such, using principles of Grant Least Privilige it's recommended to create an IAM user per repository, a group per repository, and a policy per repository that only grants access to a single ECR Repository. This is outlined in the ECR Login Action documentation.

2) Make sure you create two environment secrets, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, to enable GH Actions to push to your repo.

2) The image repos must already exist in ECR before you can start building.

3) This will push to your default ECR registry. If you want to use a different registry you must specify it.