Trying to BUILD & PUSH ‘tfrecord-processing’ Docker image AWS – User denied

I am following this tutorial right here: https://aws.amazon.com/blogs/machine-learning/training-and-deploying-models-using-tensorflow-2-with-the-object-detection-api-on-amazon-sagemaker/ and I am trying to build and push tfrecord-processing docker image by executing following command:

!sh ./docker/build_and_push.sh $image_name

Everything seems to go fine until very end:

Step 6/7 : COPY code /opt/program
 ---> 68bc931b454c
Step 7/7 : ENTRYPOINT ["python3", "/opt/program/prepare_data.py"]
 ---> Running in 68fa1cac7cae
Removing intermediate container 68fa1cac7cae
 ---> 769c873f471c
Successfully built 769c873f471c
Successfully tagged tfrecord-processing:latest
Pushing image to ECR 382599840224.dkr.ecr.us-east-2.amazonaws.com/tfrecord-processing:latest
The push refers to repository [382599840224.dkr.ecr.us-east-2.amazonaws.com/tfrecord-processing]

f2a18981: Preparing 
0de55568: Preparing 
2361f986: Preparing 
4b3288d4: Preparing 
e55f84c6: Preparing 
b0f92c14: Preparing 
cf4cd527: Preparing 
c1f74e01: Preparing 
9e4b0fc9: Preparing 
e3b79e0a: Preparing 
e43735a0: Preparing 
3918ca41: Preparing 
768f66a4: Preparing 
d332a58a: Preparing 
f11cbf29: Preparing 
a4b22186: Preparing 
afb09dc3: Preparing 
b5a53aac: Preparing 
c8e5063e: Preparing 
e4b0fc9: Waiting g denied: User: arn:aws:sts::382599840224:assumed-role/AmazonSageMaker-ExecutionRole-20210306T151543/SageMaker is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-2:382599840224:repository/tfrecord-processing

Here is the code for build_and_push.sh

#!/usr/bin/env bash

# This script shows how to build the Docker image and push it to ECR to be ready for use
# by SageMaker.

# The argument to this script is the image name. This will be used as the image on the local
# machine and combined with the account and region to form the repository name for ECR.
image=$1

if [[ "$image" == "" ]]
then
    echo "Usage: $0 <image-name>"
    exit 1
fi

# Get the account number associated with the current IAM credentials
account=$(aws sts get-caller-identity --query Account --output text)
if [[ $? -ne 0 ]]
then
    exit 25
fi

# Get the region defined in the current configuration (default to us-west-2 if none defined)
region=$(aws configure get region)
fullname="${account}.dkr.ecr.${region}.amazonaws.com/${image}:latest"

# If the repository doesn't exist in ECR, create it.
aws ecr describe-repositories --repository-names "${image}" > /dev/null 2>&1
if [[ $? -ne 0 ]]
then
    aws ecr create-repository --repository-name "${image}" > /dev/null
fi

# Get the login command from ECR and execute it directly
$(aws ecr get-login --region ${region} --no-include-email)

# Build the docker image locally with the image name and then push it to ECR
# with the full name.
cd docker/

echo "Building image with name ${image}"
docker build --no-cache -t ${image} -f Dockerfile .
docker tag ${image} ${fullname}

echo "Pushing image to ECR ${fullname}"
docker push ${fullname}

# Writing the image name to let the calling process extract it without manual intervention:
echo "${fullname}" > ecr_image_fullname.txt

I guess I need to set some roles for my user, but not sure which or where. Please help.

Source: Docker Questions

LEAVE A COMMENT