Docker 推送到 AWS ECR 私有存储库失败,格式错误 JSON
Docker push to AWS ECR private repo failing with malformed JSON
我正在试用 AWS ECR 并将新标签推送到我们的私有存储库。
它是这样的:
export DOCKER_REGISTRY=0123123123123.dkr.ecr.us-east-1.amazonaws.com
export TAG=0.1
docker build -t vendor/app-name .
`aws ecr get-login --region us-east-1`" # generates docker login
docker tag vendor/app-name $DOCKER_REGISTRY/vendor/app-name:$TAG
docker push $DOCKER_REGISTRY/vendor/app-name:$TAG
登录有效,标签已创建,我用 docker images 看到了它,但推送失败了。
The push refers to a repository [0123123123123.dkr.ecr.us-east-1.amazonaws.com/vendor/app-name] (len: 2)
b1a1d76b9e52: Pushing [==================================================>] 32 B/32 B
Error parsing HTTP response: unexpected end of JSON input: ""
这很可能是配置错误,但我不知道如何从中获得更多输出。该命令没有调试级别选项,没有其他日志,我无法拦截网络流量,因为它似乎已加密。
运行 进入同样的问题。对我来说,确保我推送的 IAM 用户具有 ecr:BatchCheckLayerAvailability 权限可以清除此问题。
我原本打算有一个 "push-only" 策略,但没有意识到需要此权限才能成功推送。
除了@Ethan 的回答:我试图找到将 docker 图像推送到 AWS 注册表所需的最小权限集。截至今天,最小集合是:
{
"Sid": "PushToEcr",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
}
据我所知,Resource 必须是 *,因为其中一些操作在其他情况下不起作用。
欢迎改进!
您需要的最低政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "arn:aws:ecr:<your region>:<your account id>:repository/<your repository name>"
}
]
}
我正在试用 AWS ECR 并将新标签推送到我们的私有存储库。
它是这样的:
export DOCKER_REGISTRY=0123123123123.dkr.ecr.us-east-1.amazonaws.com
export TAG=0.1
docker build -t vendor/app-name .
`aws ecr get-login --region us-east-1`" # generates docker login
docker tag vendor/app-name $DOCKER_REGISTRY/vendor/app-name:$TAG
docker push $DOCKER_REGISTRY/vendor/app-name:$TAG
登录有效,标签已创建,我用 docker images 看到了它,但推送失败了。
The push refers to a repository [0123123123123.dkr.ecr.us-east-1.amazonaws.com/vendor/app-name] (len: 2)
b1a1d76b9e52: Pushing [==================================================>] 32 B/32 B
Error parsing HTTP response: unexpected end of JSON input: ""
这很可能是配置错误,但我不知道如何从中获得更多输出。该命令没有调试级别选项,没有其他日志,我无法拦截网络流量,因为它似乎已加密。
运行 进入同样的问题。对我来说,确保我推送的 IAM 用户具有 ecr:BatchCheckLayerAvailability 权限可以清除此问题。
我原本打算有一个 "push-only" 策略,但没有意识到需要此权限才能成功推送。
除了@Ethan 的回答:我试图找到将 docker 图像推送到 AWS 注册表所需的最小权限集。截至今天,最小集合是:
{
"Sid": "PushToEcr",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
}
据我所知,Resource 必须是 *,因为其中一些操作在其他情况下不起作用。
欢迎改进!
您需要的最低政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ecr:UploadLayerPart",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "arn:aws:ecr:<your region>:<your account id>:repository/<your repository name>"
}
]
}