push¶
Push a Docker image to AWS Elastic Container Registry (ECR).
Synopsis¶
Description¶
The push command uploads your locally built Docker image to AWS ECR, making it available for SageMaker training and deployment. The command handles ECR authentication and repository creation automatically.
Before pushing, the image must be built using the build command.
Options¶
| Option | Short | Type | Required | Default | Description |
|---|---|---|---|---|---|
--app-name | -a | string | No | Auto-detected | App name for configuration |
--aws-region | -r | string | No | From config | AWS region override |
--iam-role-arn | -i | string | No | None | IAM role ARN for authentication (mutually exclusive with --aws-profile) |
--aws-profile | -p | string | No | From config | AWS profile override (mutually exclusive with --iam-role-arn) |
--external-id | -e | string | No | None | External ID for IAM role assumption |
--docker-tag | -t | string | No | latest | Tag for the Docker image (global option, must come before command) |
Examples¶
Basic push with default settings¶
Push using configuration from {app_name}.json:
Push with specific AWS profile¶
Override the profile from config:
Push with IAM role¶
Use IAM role instead of profile:
Push with external ID¶
For cross-account access with external ID:
Push specific Docker tag¶
Push to different region¶
Push with all options¶
Output¶
The push process displays:
Started pushing Docker image to AWS ECR. It will take some time. Please, be patient...
[ECR authentication and push progress...]
Docker image pushed to ECR successfully!
The image will be available at:
Prerequisites¶
- Docker image built with
easy_sm build - AWS credentials configured (either profile or IAM role)
- Permissions to push to ECR:
ecr:CreateRepositoryecr:GetAuthorizationTokenecr:BatchCheckLayerAvailabilityecr:InitiateLayerUploadecr:UploadLayerPartecr:CompleteLayerUploadecr:PutImage
Authentication Methods¶
Method 1: AWS Profile (Recommended)¶
Use a profile from ~/.aws/credentials:
The profile should have ECR push permissions.
Method 2: IAM Role¶
Assume an IAM role for cross-account or temporary credentials:
Method 3: Config File¶
Use the profile specified in {app_name}.json:
Then simply:
Mutually Exclusive Options
You cannot use both --iam-role-arn and --aws-profile simultaneously. Choose one authentication method.
ECR Repository¶
The push command automatically:
- Creates repository if it doesn't exist (named after
image_namefrom config) - Authenticates with ECR using provided credentials
- Tags image with the full ECR URI
- Pushes layers to the repository
What Gets Pushed¶
The command pushes the Docker image built by easy_sm build, which includes:
- Your ML code and dependencies
- Python runtime
- Training and serving entry points
- All layers from the Dockerfile
Workflow Example¶
Complete workflow from build to push:
# 1. Build the image
easy_sm -t v1.0.0 build
# 2. Test locally (optional)
easy_sm -t v1.0.0 local train
# 3. Push to ECR
easy_sm -t v1.0.0 push
# 4. Train on SageMaker
export SAGEMAKER_ROLE=arn:aws:iam::123456789012:role/SageMakerRole
easy_sm -t v1.0.0 train \
-n my-training-job \
-e ml.m5.large \
-i s3://my-bucket/input \
-o s3://my-bucket/output
Troubleshooting¶
"AccessDeniedException" error¶
Problem: Insufficient permissions to push to ECR.
Solution: Ensure your IAM user/role has the required ECR permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:CreateRepository"
],
"Resource": "*"
}
]
}
"Image not found" error¶
Problem: Docker image doesn't exist locally.
Solution: Build the image first:
"RepositoryNotFoundException"¶
Problem: ECR repository doesn't exist and can't be auto-created.
Solution: Either: 1. Add ecr:CreateRepository permission 2. Manually create the repository:
"Only one of iam-role-arn and aws-profile can be used"¶
Problem: Specified both --iam-role-arn and --aws-profile.
Solution: Choose one authentication method:
# Use profile
easy_sm push -p dev
# OR use role
easy_sm push -i arn:aws:iam::123456789012:role/MyRole
Slow push times¶
Problem: Large image taking long to push.
Solution: 1. Minimize image size: Remove unnecessary dependencies 2. Use layer caching: Only changed layers are pushed on subsequent runs 3. Compress: Docker automatically compresses layers 4. Check network: Ensure stable internet connection
"Token has expired" error¶
Problem: AWS credentials expired during push.
Solution: Refresh credentials:
# For SSO profiles
aws sso login --profile dev
# For temporary credentials
# Re-export fresh credentials
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
Wrong region¶
Problem: Image pushed to wrong region.
Solution: Specify the correct region:
Or update your config file:
Cross-Account Access¶
To push to an ECR repository in a different AWS account:
- Create IAM role in the target account with ECR permissions
- Add trust relationship allowing your source account:
- Push with role and external ID:
Verifying the Push¶
After pushing, verify the image in ECR:
# List images in repository
aws ecr list-images \
--repository-name my-ml-app \
--profile dev
# Describe specific image
aws ecr describe-images \
--repository-name my-ml-app \
--image-ids imageTag=latest \
--profile dev
Image URI¶
After pushing, your image URI will be:
For example:
This URI is used internally by easy_sm commands that reference the image.
Related Commands¶
build- Build the Docker image before pushingtrain- Train on SageMaker using the pushed imagedeploy- Deploy using the pushed imageupdate-scripts- Update push script with latest version