我正在尝试访问跨账户 ecr 存储库。在 ECR repo(in account1) 权限中我已经设置了这个
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new statement",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::account2:role/sagemaker-20210223074454252300000002"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
然后在 account2 中创建了一个 IAM 角色 arn:aws:iam::account2:role/sagemaker-20210223074454252300000002。
data "aws_iam_policy_document" "sagemaker" {
statement {
effect = "Allow"
actions = [
"ecr:*"
]
resources = [
"*",
]
}
}
但是,我仍然无法访问 ecr。收到我没有访问权限的错误消息