无法通过docker pull从单独的帐户访问ECR存储库

时间:2019-01-08 17:10:43

标签: amazon-web-services docker aws-iam aws-ecr

我试图允许一个AWS帐户(以下称为“第二个”)在另一个AWS帐户(以下称为“第一个”)的ECR存储库中提取图像。

我正在关注以下文件:

我已向ECR存储库添加了以下权限:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<second>:root"
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

然后我运行以下命令:eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"

我得到这个结果:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

我暂时将商店更改为config.json,只是为了确保可以看到身份验证已按预期添加到文件中,并且是:

{
        "auths": {
                "<second>.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "<super long token>"
                },
                "<first>.dkr.ecr.us-east-1.amazonaws.com": {
                        "auth": "<super long token>"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/18.09.0 (darwin)"
        },
        "stackOrchestrator": "swarm"
}

最后我运行:docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag>并得到以下结果:

Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'

我已经三遍检查了所有帐号是否正确,回购肯定存在。如果我使用相同的get-login命令但--profile first登录,则可以拉出它。

我不确定还能尝试什么,以便我可以拉出这张照片!

将ECR权限中的Principal更改为"AWS": "arn:aws:iam::<second>:user/<user>"并没有任何区别。

2 个答案:

答案 0 :(得分:5)

我知道了-“第二个”帐户中的IAM用户附加了限制其ECR访问的策略。该政策是:

    {
        "Sid": "ECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
    }

因此,即使“第一个”帐户中的ECR存储库具有允许用户访问的权限,用户自己的帐户也只能将其访问权限限制在一个不相关的存储库中。

当我使用第一个帐户的存储库ARN添加另一部分时:

    {
        "Sid": "FirstAccountECRAccess",
        "Effect": "Allow",
        "Action": "ecr:*",
        "Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
    }

然后docker pull工作了!

答案 1 :(得分:0)

您的第二个帐户是否在您的计算机上使用IAM用户?在您的策略中,因为您授予第二个帐户的root用户访问权限:

"Principal": { "AWS": "arn:aws:iam::<second>:root" },

考虑在您的政策中将其更改为:

"Principal": { "AWS": "arn:aws:iam::<second>:user/[nameofuser]" },

相关问题
最新问题