无法通过“docker pull”从单独的帐户访问 ECR 存储库
Unable to access ECR repository from separate account via `docker pull`
我正在尝试允许一个 AWS 账户(下面称为 "second")在另一个 AWS 账户(下面称为 "first")的 ECR 存储库中提取图像。
我正在关注这些文档:
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html(设置权限)
- https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/(获取代币)
我已将以下权限添加到 ECR 存储库:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<second>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
然后我运行这个命令:eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"
我得到了这个结果:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
我暂时将商店更改为 config.json
只是为了确保我可以看到身份验证已按预期添加到文件中,它是:
{
"auths": {
"<second>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "<super long token>"
},
"<first>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "<super long token>"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (darwin)"
},
"stackOrchestrator": "swarm"
}
最后我 运行: docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag>
得到这个结果:
Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'
我已经三重检查了所有帐号是否正确,回购肯定在那里。如果我使用相同的 get-login
命令但 --profile first
.
登录,我就可以提取它
我不确定还要尝试什么才能拉出这张图片!
将 ECR 权限中的 Principal
更改为 "AWS": "arn:aws:iam::<second>:user/<user>"
没有任何区别。
您的第二个帐户是否在您的计算机上使用 IAM 用户?因为在您的政策中,您授予了第二个帐户访问权限的根用户:
"Principal": {
"AWS": "arn:aws:iam::<second>:root"
},
考虑在您的政策中将此更改为:
"Principal": {
"AWS": "arn:aws:iam::<second>:user/[nameofuser]"
},
我想通了——"second" 帐户中的 IAM 用户附加了一个限制其 ECR 访问的策略。政策是:
{
"Sid": "ECRAccess",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
}
因此,即使 "first" 帐户中的 ECR 存储库具有允许用户访问的权限,用户自己的帐户也会限制其访问单个不相关的存储库。
当我使用第一个账户的存储库 ARN 添加另一个部分时:
{
"Sid": "FirstAccountECRAccess",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
}
然后docker pull
成功了!
我正在尝试允许一个 AWS 账户(下面称为 "second")在另一个 AWS 账户(下面称为 "first")的 ECR 存储库中提取图像。
我正在关注这些文档:
- https://docs.aws.amazon.com/AmazonECR/latest/userguide/RepositoryPolicyExamples.html(设置权限)
- https://aws.amazon.com/premiumsupport/knowledge-center/secondary-account-access-ecr/(获取代币)
我已将以下权限添加到 ECR 存储库:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<second>:root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
}
]
}
然后我运行这个命令:eval "$(aws ecr get-login --no-include-email --region us-east-1 --profile second --registry-ids <second> <first>)"
我得到了这个结果:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /Users/libby/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
我暂时将商店更改为 config.json
只是为了确保我可以看到身份验证已按预期添加到文件中,它是:
{
"auths": {
"<second>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "<super long token>"
},
"<first>.dkr.ecr.us-east-1.amazonaws.com": {
"auth": "<super long token>"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (darwin)"
},
"stackOrchestrator": "swarm"
}
最后我 运行: docker pull <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>:<tag>
得到这个结果:
Error response from daemon: pull access denied for <first>.dkr.ecr.us-east-1.amazonaws.com/<repo>, repository does not exist or may require 'docker login'
我已经三重检查了所有帐号是否正确,回购肯定在那里。如果我使用相同的 get-login
命令但 --profile first
.
我不确定还要尝试什么才能拉出这张图片!
将 ECR 权限中的 Principal
更改为 "AWS": "arn:aws:iam::<second>:user/<user>"
没有任何区别。
您的第二个帐户是否在您的计算机上使用 IAM 用户?因为在您的政策中,您授予了第二个帐户访问权限的根用户:
"Principal": {
"AWS": "arn:aws:iam::<second>:root"
},
考虑在您的政策中将此更改为:
"Principal": {
"AWS": "arn:aws:iam::<second>:user/[nameofuser]"
},
我想通了——"second" 帐户中的 IAM 用户附加了一个限制其 ECR 访问的策略。政策是:
{
"Sid": "ECRAccess",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<second>:repository/<unrelated-repo>"
}
因此,即使 "first" 帐户中的 ECR 存储库具有允许用户访问的权限,用户自己的帐户也会限制其访问单个不相关的存储库。
当我使用第一个账户的存储库 ARN 添加另一个部分时:
{
"Sid": "FirstAccountECRAccess",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<first>:repository/<repo>"
}
然后docker pull
成功了!