Beanstalk从不同的(ECR)AWS账户获取容器图像

时间:2018-05-16 10:11:43

标签: elastic-beanstalk amazon-ecr

我在不同的AWS账户中面临关于beanstalk和ECR的一些问题。

在“Dockerrun.aws.json”中,我尝试提取的图像属于另一个AWS账户(同一个组织但不同的账户ID)。

"Image": { "Name": "XXXXXXX.dkr.ecr.eu-central-1.amazonaws.com/YYYYYYY", "Update": "true" },

在ECR权限中,我已经添加了允许beanstalk提取图像的策略(另一个AWS账户):

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Allow webapp aws account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ZZZZZZZZZZZ:root"
            },
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy",
                "ecr:GetLifecyclePolicy",
                "ecr:PutLifecyclePolicy",
                "ecr:DeleteLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:StartLifecyclePolicyPreview"
            ]
        }
    ]
}

但是,我正在尝试构建Beanstalk环境,我仍然收到以下错误:

because: Failed to authenticate with ECR for registry 'XXXXXX' in 'eu-central-1' (ElasticBeanstalk::ExternalInvocationError)
caused by: Failed to authenticate with ECR for registry 'XXXXX' in 'eu-central-1' (Executor::NonZeroExitStatus

我想知道如何解决这个问题。如果我可以在dockerrun.aws.json中使用Authentication参数应该很棒。但不确定它是否适用于ECR,因为令牌在12小时后到期。

  "Authentication": {
"Bucket": "elasticbeanstalk-eu-central-1-XXXXX",
"Key": "aws_credentials.json"

},

1 个答案:

答案 0 :(得分:2)

当Elastic Beanstalk在部署过程中提取docker映像时,它将使用Elastic Beanstalk运行时环境的EC2实例配置文件。这意味着您将必须:

  1. 授予实例配置文件权限权限以从ECR存储库中提取权限。最终得到一个类似于以下内容的政策文档:

{ "Version": "2008-10-17", "Statement": [ { "Sid": "ElasticBeanstalkApplicationInstance", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ZZZZZZZZZZZ:role/YourElasticBeanstalkApplicationIamRole-A1B2C3D4E5" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability" ] } ] }

注意:据我所知,授予此类权限无法在管理控制台中完成,这意味着您必须使用CloudFormation进行此操作。

  1. 授予您的Elastic Beanstalk运行时实例权限,以从存储库中获取授权令牌和映像。这是通过创建以下策略并将其附加到IAM中的“实例配置文件”角色来完成的。 (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.container.console.html#docker-images-ecr { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowEbAuth", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": [ "*" ] }, { "Sid": "AllowPull", "Effect": "Allow", "Resource": [ "arn:aws:ecr:us-east-2:account-id:repository/repository-name" ], "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:BatchGetImage" ] } ] }