gpt4 book ai didi

amazon-web-services - 无法通过 `docker pull` 从单独的帐户访问 ECR 存储库

转载 作者:行者123 更新时间:2023-12-04 15:06:16 27 4
gpt4 key购买 nike

我试图允许一个 AWS 账户(下面称为“第二个”)在另一个 AWS 账户(下面称为“第一个”)的 ECR 存储库中提取图像。

我正在关注这些文件:

  • https://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html (设置权限)
  • https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/ (获取 token )

  • 我已将以下权限添加到 ECR 存储库:
    {
    "Version": "2008-10-17",
    "Statement": [
    {
    "Sid": "AllowCrossAccountPull",
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::<second>:root"
    },
    "Action": [
    "ecr:BatchCheckLayerAvailability",
    "ecr:BatchGetImage",
    "ecr:GetDownloadUrlForLayer"
    ]
    }
    ]
    }

    然后我运行这个命令: eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"
    我得到了这个结果:
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store

    Login Succeeded
    WARNING! Using --password via the CLI is insecure. Use --password-stdin.
    WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credentials-store

    Login Succeeded

    我把店改成了 config.json暂时只是为了确保我可以看到身份验证已按预期添加到文件中,它是:
    {
    "auths": {
    "<second>.dkr.ecr.us-east-1.amazonaws.com": {
    "auth": "<super long token>"
    },
    "<first>.dkr.ecr.us-east-1.amazonaws.com": {
    "auth": "<super long token>"
    }
    },
    "HttpHeaders": {
    "User-Agent": "Docker-Client/18.09.0 (darwin)"
    },
    "stackOrchestrator": "swarm"
    }

    最后我跑了: docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag>并得到这个结果:
    Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'

    我已经三重检查了所有帐号是否正确, repo 肯定在那里。如果我使用相同的 get-login 登录,我就可以拉它。命令但 --profile first .

    我不知道还要尝试什么才能拉出这张图片!

    更改 Principal在对 "AWS": "arn:aws:iam::<second>:user/<user>" 的 ECR 权限中没有任何区别。

    最佳答案

    我想通了——“第二个”账户中的 IAM 用户附加了一个限制其 ECR 访问的策略。该政策是:

        {
    "Sid": "ECRAccess",
    "Effect": "Allow",
    "Action": "ecr:*",
    "Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
    }

    因此,即使“第一个”帐户中的 ECR 存储库具有允许用户访问的权限,用户自己的帐户也将其访问限制为单个不相关的存储库。

    当我使用第一个帐户的存储库 ARN 添加另一个部分时:
        {
    "Sid": "FirstAccountECRAccess",
    "Effect": "Allow",
    "Action": "ecr:*",
    "Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
    }

    然后 docker pull工作!

    关于amazon-web-services - 无法通过 `docker pull` 从单独的帐户访问 ECR 存储库,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54096593/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com