gpt4 book ai didi

amazon-web-services - 如何在 ElasticBeanstalk Cloudformation 模板中为 IAM 用户配置对 ECR 的访问权限?

转载 作者:行者123 更新时间:2023-12-03 07:23:24 28 4
gpt4 key购买 nike

我有如下 Elastic Beanstalk 模板。我正在使用多容器 docker 。所以我单独将我的图像推送到ECR。在 Dockerrun.json 中,我像这样引用我的图像 "image": "*****.dkr.ecr.ap-south-1.amazonaws.com/*** ***:最新”。通过使用这个 CF 模板,我可以创建具有多容器的 ELB。但是在部署我的 Dockerrun.json 时,由于我的镜像的权限被拒绝,它失败了。因此,我将 Type: AWS::ECR::Repository 添加到我的云结构中。我的 CF 中已经有 MyInstanceProfile。这里我想给MyInstanceProfile添加ECR权限。那么如何为ElasticbeanStalk云组建模板分配ECR权限呢?

Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-ap-south-1-182107200133"
S3Key: TravelTouch/Dockerrun.aws.json
MyRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
/*
Here how to assign permission to MyInstanceProfile
*/
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value: !Ref MyInstanceProfile
SolutionStackName: 64bit Amazon Linux 2018.03 v2.26.0 running Multi-container Docker 19.03.13-ce (Generic)
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MyInstanceRole```

最佳答案

通常您会指定角色的 ARN:

            Principal:
AWS: !GetAtt MyInstanceRole.Arn

更新:

  MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
Policies:
- PolicyName: AllowGetAuthorizationToken
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
],
"Resource": "*"
}
]
}

关于amazon-web-services - 如何在 ElasticBeanstalk Cloudformation 模板中为 IAM 用户配置对 ECR 的访问权限?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/68188226/

28 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com