Skip to content

Commit 4b10ff8

Browse files
author
Kopas
committed
Updated documentation with VPC details, changes to the access policy requirements and added an example
1 parent ab84eeb commit 4b10ff8

File tree

2 files changed

+65
-3
lines changed

2 files changed

+65
-3
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,4 @@ manual_dist/**
1111
/build
1212
.idea/
1313
.vscode/
14+
.DS_Store

README.md

Lines changed: 64 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,18 @@ Any additional arguments supported with `docker build` are supported
2020
sm-docker build . --file /path/to/Dockerfile --build-arg foo=bar
2121
```
2222

23-
By default, the image will be pushed to a repository `sagemakerstudio` with the tag `latest`, and use the Studio App's execution role and the default SageMaker Python SDK S3 bucket
23+
By default, the CodeBuild project will not run within a VPC, the image will be pushed to a repository `sagemakerstudio` with the tag `latest`, and use the Studio App's execution role and the default SageMaker Python SDK S3 bucket
2424

2525
These can be overridden with the relevant CLI options.
2626

2727
```bash
28-
sm-docker build . --repository mynewrepo:1.0 --role MyRoleName
28+
sm-docker build . --repository mynewrepo:1.0 --role MyRoleName --bucket MyBucketName --vpc-id MyVpcId --subnets MySubnetId1,MySubnetId2 --security-groups MySecurityGroup1,MySecurityGroup2
29+
```
30+
31+
For instance, please see the sample command with additional argument listed below:
32+
33+
```bash
34+
sm-docker build . --repository mynewrepo:1.0 --role SampleDockerBuildRole --bucket sagemaker-us-east-1-326543455535 --vpc-id vpc-0c70e76ef1c603b94 --subnets subnet-0d984f080338960bb,subnet-0ac3e96808c8092f2 --security-groups sg-0d31b4042f2902cd0
2935
```
3036

3137
The CLI will take care of packaging the current directory and uploading to S3, creating a CodeBuild project, starting a build with the S3 artifacts, tailing the build logs, and uploading the built image to ECR.
@@ -101,12 +107,39 @@ The following permissions are required in the execution role to execute a build
101107
"ecr:DescribeRepositories",
102108
"ecr:UploadLayerPart",
103109
"ecr:ListImages",
104-
"ecr:InitiateLayerUpload",
110+
"ecr:InitiateLayerUpload",
105111
"ecr:BatchCheckLayerAvailability",
106112
"ecr:PutImage"
107113
],
108114
"Resource": "arn:aws:ecr:*:*:repository/sagemaker-studio*"
109115
},
116+
{
117+
"Sid": "ReadAccessToPrebuiltAwsImages",
118+
"Effect": "Allow",
119+
"Action": [
120+
"ecr:BatchGetImage",
121+
"ecr:GetDownloadUrlForLayer"
122+
],
123+
"Resource": [
124+
"arn:aws:ecr:*:763104351884:repository/*",
125+
"arn:aws:ecr:*:217643126080:repository/*",
126+
"arn:aws:ecr:*:727897471807:repository/*",
127+
"arn:aws:ecr:*:626614931356:repository/*",
128+
"arn:aws:ecr:*:683313688378:repository/*",
129+
"arn:aws:ecr:*:520713654638:repository/*",
130+
"arn:aws:ecr:*:462105765813:repository/*"
131+
]
132+
},
133+
{
134+
"Sid": "EcrAuthorizationTokenRetrieval",
135+
"Effect": "Allow",
136+
"Action": [
137+
"ecr:GetAuthorizationToken"
138+
],
139+
"Resource": [
140+
"*"
141+
]
142+
},
110143
{
111144
"Effect": "Allow",
112145
"Action": "ecr:GetAuthorizationToken",
@@ -151,6 +184,34 @@ The following permissions are required in the execution role to execute a build
151184

152185
```
153186

187+
If you need to run your CodeBuild project within a VPC, please add the following actions to your execution role that the CodeBuild Project will assume:
188+
189+
```json
190+
{
191+
"Sid": "VpcAccessActions",
192+
"Effect": "Allow",
193+
"Action": [
194+
"ec2:CreateNetworkInterface",
195+
"ec2:CreateNetworkInterfacePermission",
196+
"ec2:DescribeDhcpOptions",
197+
"ec2:DescribeNetworkInterfaces",
198+
"ec2:DeleteNetworkInterface",
199+
"ec2:DescribeSubnets",
200+
"ec2:DescribeSecurityGroups",
201+
"ec2:DescribeVpcs"
202+
],
203+
"Resource": "*"
204+
},
205+
{
206+
"Sid":
207+
"Effect": "Allow",
208+
"Action": [
209+
"ec2:CreateNetworkInterfacePermission"
210+
],
211+
"Resource": "arn:aws:ec2:*:*:network-interface/*"
212+
}
213+
```
214+
154215
### Development
155216

156217
Checkout the repository.

0 commit comments

Comments
 (0)