AWS ECS任务失败,并显示:CannotPullContainerError

时间:2019-10-14 20:48:10

标签: amazon-web-services containers amazon-ecs

我是第一次使用AWS ECS服务,并且遇到了一些权限问题。我正在使用terraform创建任务定义和服务定义。

我的任务定义json配置:

  [
      {
          "dnsSearchDomains": null,
          "logConfiguration": null,
          "portMappings": [
            {
                "containerPort": 80,
                "hostPort": 0,
                "protocol": "tcp"
            }
          ],
          "entryPoint": [
            "httpd",
            "-DFOREGROUND"
          ],
          "command": null,
          "linuxParameters": null,
          "cpu": 0,
          "resourceRequirements": null,
          "ulimits": null,
          "dnsServers": null,
          "mountPoints": [],
          "workingDirectory": null,
          "secrets": [
            ...my_secrets..
          ],
          "dockerSecurityOptions": null,
          "memory": 350,
          "memoryReservation": null,
          "volumesFrom": [],
          "stopTimeout": null,
          "image": "${api_image}",
          "startTimeout": null,
          "dependsOn": null,
          "disableNetworking": null,
          "interactive": null,
          "healthCheck": null,
          "essential": true,
          "links": null,
          "hostname": null,
          "extraHosts": null,
          "pseudoTerminal": null,
          "user": null,
          "readonlyRootFilesystem": null,
          "dockerLabels": null,
          "systemControls": null,
          "privileged": null,
          "name": "myApp"
        }
    ]

我为任务定义iam_role.tf创建的IAM角色:

resource "aws_iam_role" "api" {
  name = "api-${var.environment}"
  assume_role_policy = "${file("../../policies/iam_ecs_role.json")}"

  tags = {
      terraform = true
  }
}

# Attach SSM read only policy to read from param store.
resource "aws_iam_role_policy_attachment" "attach-ssm" {
    role        = "${aws_iam_role.api.name}"
    policy_arn  = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
}

# Attach policy to allow read and push from ECR. 
resource "aws_iam_role_policy_attachment" "attach-ecs-task" {
    role        = "${aws_iam_role.api.name}"
    policy_arn  = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}

# Attach policy to allow access to KSM to decrypt ssm values. 
resource "aws_iam_role_policy_attachment" "attach-ksm" {
    role        = "${aws_iam_role.api.name}"
    policy_arn  = "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
}

resource "aws_iam_role_policy_attachment" "attach-admin" {
    role        = "${aws_iam_role.api.name}"
    policy_arn  = "arn:aws:iam::aws:policy/AdministratorAccess"
}

以及先前角色资源中的策略json文件:

{
    "Version": "2008-10-17",
    "Statement": [
      {
        "Action": "sts:AssumeRole",
        "Principal": {
          "Service": [
              "ecs.amazonaws.com", 
              "ec2.amazonaws.com",
              "ecs-tasks.amazonaws.com"
            ]
        },
        "Effect": "Allow"
      }
    ]
  }

因此,我所担任的角色具有以下政策: enter image description here

我遇到的问题是,当我启动将服务部署到群集时,在任务中出现以下错误:

  

CannotPullContainerError:来自守护程序的错误响应:xxxxxxxxx.xxx.ecr.us-east-1.amazonaws.com/my-image的拉式访问被拒绝,存储库不存在或可能需要“ docker登录”

我似乎无法弄清楚为什么任务无法从ecr中提取。启动容器的实例存在于公共子网中,并且具有公共ip,因此它肯定可以访问Internet。我在这里想念什么?

1 个答案:

答案 0 :(得分:0)

您应该在ECS Task Execution IAM Role中获得ECR的许可。

这是任务执行角色的示例策略。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}
  

请参阅:

     

这里是AWS Document关于ecs任务执行角色