大三角帆+ ECR访问

时间:2019-11-22 23:42:20

标签: amazon-web-services kubernetes spinnaker ecr

我无法设置具有ECR访问权限的Spinnaker。

背景:我在EKS集群上使用头盔安装了大三角帆,并且已经确认该集群具有必要的ECR权限(通过从clouddriver pod内手动运行ECR命令)。我正在按照此处的说明设置Spinnaker + ECR:https://www.spinnaker.io/setup/install/providers/docker-registry/

问题:运行时:

hal config provider docker-registry account add my-ecr-registry \
--address $ADDRESS \
--username AWS \
--password-command "aws --region us-west-2 ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | sed 's/^AWS://'"

我得到以下输出:

+ Get current deployment
  Success
- Add the some-ecr-registry account
  Failure
Problems in default.provider.dockerRegistry.some-ecr-registry:
- WARNING Resolved Password was empty, missing dependencies for
  running password command?
- WARNING You have a supplied a username but no password.
! ERROR Unable to fetch tags from the docker repository: code, 400
  Bad Request
? Can the provided user access this repository?
- WARNING None of your supplied repositories contain any tags.
  Spinnaker will not be able to deploy any docker images.
? Push some images to your registry.
Problems in halconfig:
- WARNING There is a newer version of Halyard available (1.28.0),
  please update when possible
? Run 'sudo apt-get update && sudo apt-get install
  spinnaker-halyard -y' to upgrade
- Failed to add account some-ecr-registry for provider
  dockerRegistry.
  • 我已确认aws-cli已安装在clouddriver pod上。而且我已经确认可以直接从clouddriver pod进行密码命令,并且该命令成功返回了令牌。
  • 我还确认,如果我手动生成ECR令牌并且run hal config provider docker-registry account add my-ecr-registry --address $ADDRESS --username AWS --password-command "echo $MANUALLY_GENERATED_TOKEN"一切正常。因此,密码命令有一些特定的地方出错了,我不确定如何调试它。
  • 另一种奇怪的行为:如果我将password命令简化为hal config provider docker-registry account add some-ecr-registry --address $ADDRESS --username AWS --repositories code --password-command "aws --region us-west-2 ecr get-authorization-token",则会得到一条额外的输出,内容为"- WARNING Password command returned non 0 return code stderr/stdout was:bash: aws: command not found"。仅针对此简化命令显示此输出。

任何有关如何调试此问题的建议将不胜感激。

2 个答案:

答案 0 :(得分:0)

我还在AKS上安装了Spinnaker,而我所做的只是通过使用具有正确的AWS IAM策略到ECR的AWS管理用户:*我可以直接访问ECR存储库。 我不认为基于Java的hal将在--password-command

中执行Bash命令。
  • 在三角帆部署中设置AWS ECS provider
  • 使用以下AWS IAM策略(SpinnakerManagingPolicy)附加到AWS MAnaging用户,以授予对ECR的访问权限。请根据您的需要替换AWS账户。
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudformation:*",
                "ecr:*"                
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1",
                "arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2",
                "arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3"
            ],
            "Effect": "Allow"
        }
    ]
}

答案 1 :(得分:0)

如果像我一样,您的ECR注册中心在另一个帐户中,那么您必须强行承担注册中心所在的目标帐户的角色

passwordCommand: read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< `aws sts assume-role --role-arn arn:aws:iam::<AWS_ACCOUNT>:role/<SPINNAKER ROLE_NAME> --query "[Credentials.AccessKeyId, Credentials.SecretAccessKey, Credentials.SessionToken]" --output text --role-session-name spinnakerManaged-w2`; export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN; aws ecr get-authorization-token --region us-west-2 --output text --query 'authorizationData[].authorizationToken' --registry-ids <AWS_ACCOUNT> | base64 -d | sed 's/^AWS://'

贷记https://github.com/spinnaker/spinnaker/issues/5374#issuecomment-607468678

相关问题
最新问题