我在不同的AWS账户中面临关于beanstalk和ECR的一些问题。
在“Dockerrun.aws.json”中,我尝试提取的图像属于另一个AWS账户(同一个组织但不同的账户ID)。
"Image": {
"Name": "XXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/YYYYYYY",
"Update": "true"
},
在ECR权限中,我已经添加了允许beanstalk提取图像的策略(另一个AWS账户):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "Allow webapp aws account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ZZZZZZZZZZZ:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy",
"ecr:DeleteLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:StartLifecyclePolicyPreview"
]
}
]
}
但是,我正在尝试构建Beanstalk环境,我仍然收到以下错误:
because: Failed to authenticate with ECR for registry 'XXXXXX' in 'eu-central-1' (ElasticBeanstalk::ExternalInvocationError)
caused by: Failed to authenticate with ECR for registry 'XXXXX' in 'eu-central-1' (Executor::NonZeroExitStatus
我想知道如何解决这个问题。如果我可以在dockerrun.aws.json中使用Authentication参数应该很棒。但不确定它是否适用于ECR,因为令牌在12小时后到期。
"Authentication": {
"Bucket": "elasticbeanstalk-eu-central-1-XXXXX",
"Key": "aws_credentials.json"
},
答案 0 :(得分:2)
当Elastic Beanstalk在部署过程中提取docker映像时,它将使用Elastic Beanstalk运行时环境的EC2实例配置文件。这意味着您将必须:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "ElasticBeanstalkApplicationInstance",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ZZZZZZZZZZZ:role/YourElasticBeanstalkApplicationIamRole-A1B2C3D4E5"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}
注意:据我所知,授予此类权限无法在管理控制台中完成,这意味着您必须使用CloudFormation进行此操作。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEbAuth",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowPull",
"Effect": "Allow",
"Resource": [
"arn:aws:ecr:us-east-2:account-id:repository/repository-name"
],
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
]
}
]
}