我正在这里学习本教程:https://aws.amazon.com/blogs/machine-learning/training-and-deploying-models-using-tensorflow-2-with-the-object-detection-api-on-amazon-sagemaker/ 并且我正在尝试通过执行以下命令来构建和推送 tfrecord-processing docker 镜像:
!sh ./docker/build_and_push.sh $image_name
一切似乎都很顺利,直到最后:
Step 6/7 : COPY code /opt/program
---> 68bc931b454c
Step 7/7 : ENTRYPOINT ["python3", "/opt/program/prepare_data.py"]
---> Running in 68fa1cac7cae
Removing intermediate container 68fa1cac7cae
---> 769c873f471c
Successfully built 769c873f471c
Successfully tagged tfrecord-processing:latest
Pushing image to ECR 382599840224.dkr.ecr.us-east-2.amazonaws.com/tfrecord-processing:latest
The push refers to repository [382599840224.dkr.ecr.us-east-2.amazonaws.com/tfrecord-processing]
f2a18981: Preparing
0de55568: Preparing
2361f986: Preparing
4b3288d4: Preparing
e55f84c6: Preparing
b0f92c14: Preparing
cf4cd527: Preparing
c1f74e01: Preparing
9e4b0fc9: Preparing
e3b79e0a: Preparing
e43735a0: Preparing
3918ca41: Preparing
768f66a4: Preparing
d332a58a: Preparing
f11cbf29: Preparing
a4b22186: Preparing
afb09dc3: Preparing
b5a53aac: Preparing
c8e5063e: Preparing
e4b0fc9: Waiting g denied: User: arn:aws:sts::382599840224:assumed-role/AmazonSageMaker-ExecutionRole-20210306T151543/SageMaker is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-2:382599840224:repository/tfrecord-processing
这是build_and_push.sh的代码
#!/usr/bin/env bash
# This script shows how to build the Docker image and push it to ECR to be ready for use
# by SageMaker.
# The argument to this script is the image name. This will be used as the image on the local
# machine and combined with the account and region to form the repository name for ECR.
image=$1
if [[ "$image" == "" ]]
then
echo "Usage: $0 <image-name>"
exit 1
fi
# Get the account number associated with the current IAM credentials
account=$(aws sts get-caller-identity --query Account --output text)
if [[ $? -ne 0 ]]
then
exit 25
fi
# Get the region defined in the current configuration (default to us-west-2 if none defined)
region=$(aws configure get region)
fullname="${account}.dkr.ecr.${region}.amazonaws.com/${image}:latest"
# If the repository doesn't exist in ECR, create it.
aws ecr describe-repositories --repository-names "${image}" > /dev/null 2>&1
if [[ $? -ne 0 ]]
then
aws ecr create-repository --repository-name "${image}" > /dev/null
fi
# Get the login command from ECR and execute it directly
$(aws ecr get-login --region ${region} --no-include-email)
# Build the docker image locally with the image name and then push it to ECR
# with the full name.
cd docker/
echo "Building image with name ${image}"
docker build --no-cache -t ${image} -f Dockerfile .
docker tag ${image} ${fullname}
echo "Pushing image to ECR ${fullname}"
docker push ${fullname}
# Writing the image name to let the calling process extract it without manual intervention:
echo "${fullname}" > ecr_image_fullname.txt
我想我需要为我的用户设置一些角色,但不确定是哪个角色或在哪里。请帮忙。
答案 0 :(得分:1)
我想知道您看到的问题是否是由于:
# Get the login command from ECR and execute it directly
$(aws ecr get-login --region ${region} --no-include-email)
这应该是吐出docker login命令并直接执行(如评论所说)。
您可能想在脚本之外尝试一下,看看它是否会产生任何错误或建设性消息。
这可能不起作用的一个原因是因为此 cli 命令 (aws ecr get-login) 仅在 CLI v1 中可用。如果您使用的是 CLI v2 版本,则需要使用 aws ecr get-login-password 命令。 See here对于完整的语法。
[更新] 我联系了编写博客/存储库的团队,他们修复了该命令以反映 AWS CLI v2 语法。显然,在博客发布后,SM Notebook 更新为包含新的 CLI,并且该命令需要更新。回购现在应该有“修复”。
答案 1 :(得分:0)
根据 https://stackoverflow.com/a/50684081/11262633,将 Elastic Container Registry 添加到 IAM 中的策略 AmazonSageMaker-ExecutionPolicy。
我必须手动编辑 JSON - 可视化编辑器没有保存我的更改。