在 AWS ECS 中使用来自私有外部注册表的 docker 图像
Use docker image from private external registry in AWS ECS
我正在尝试 运行 在我公司的私有注册表中托管的 AWS ECS 中的图像。根据 AWS,这完全有可能,只要我使用 https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html 中的指南并遵循 Enabling private registry authentication
部分。我在 AWS Secrets Manager 中创建了一个名为 testSecret
的密文,其明文格式具有上面 link 中提供的 json 结构,例如:
{
"username": "myuser",
"password": "mypass"
}
我在 Secrets
部分的 ECS 作业定义中使用名称 myRegistryCreds
引用了它,然后在 Value From
部分中输入了上述密钥的 ARN 值。
每当我尝试 运行 作业时,我都会收到以下错误:
CannotPullContainerError: Error response from daemon: Head "https://myprivateregistry.com/myrepo/helloworld/manifests/latest": no basic auth credentials
附加到我的执行角色的策略也模仿了 AWS 指南中的内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:<awsRegion>:<myAWSaccount>:secret:testSecret-CtEe8E",
"arn:aws:kms:*:<myAWSaccount>:key/*"
]
}
]
}
我的工作任务定义:
{
"containerDefinitions": [
{
"name": "default",
"image": "myprivatregistry.com/repo/helloworld:latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:us-east-1:AWSACCOUNT:role:secret:REGISTRYKEY"
},
"cpu": 2,
"memory": 1000,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "hello-world"
}
}
}
],
"family": "hello-world",
"executionRoleArn": "arn:aws:iam::AWSACCOUNT:role/ecsTaskExecutionRole"
}
有谁知道我遗漏了什么/如何在 AWS ECS 中使用来自外部私有注册表的图像?
Secrets Manager 默认加密机密 - 没有存储“纯文本”的选项。
检查任务执行角色是否允许 kms:Decrypt
操作。
根据添加的任务定义,您缺少 containerDefinitions
数组中的 repositoryCredentials
部分。
应该是:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
},
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}
我正在尝试 运行 在我公司的私有注册表中托管的 AWS ECS 中的图像。根据 AWS,这完全有可能,只要我使用 https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html 中的指南并遵循 Enabling private registry authentication
部分。我在 AWS Secrets Manager 中创建了一个名为 testSecret
的密文,其明文格式具有上面 link 中提供的 json 结构,例如:
{
"username": "myuser",
"password": "mypass"
}
我在 Secrets
部分的 ECS 作业定义中使用名称 myRegistryCreds
引用了它,然后在 Value From
部分中输入了上述密钥的 ARN 值。
每当我尝试 运行 作业时,我都会收到以下错误:
CannotPullContainerError: Error response from daemon: Head "https://myprivateregistry.com/myrepo/helloworld/manifests/latest": no basic auth credentials
附加到我的执行角色的策略也模仿了 AWS 指南中的内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:<awsRegion>:<myAWSaccount>:secret:testSecret-CtEe8E",
"arn:aws:kms:*:<myAWSaccount>:key/*"
]
}
]
}
我的工作任务定义:
{
"containerDefinitions": [
{
"name": "default",
"image": "myprivatregistry.com/repo/helloworld:latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:us-east-1:AWSACCOUNT:role:secret:REGISTRYKEY"
},
"cpu": 2,
"memory": 1000,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "hello-world"
}
}
}
],
"family": "hello-world",
"executionRoleArn": "arn:aws:iam::AWSACCOUNT:role/ecsTaskExecutionRole"
}
有谁知道我遗漏了什么/如何在 AWS ECS 中使用来自外部私有注册表的图像?
Secrets Manager 默认加密机密 - 没有存储“纯文本”的选项。
检查任务执行角色是否允许 kms:Decrypt
操作。
根据添加的任务定义,您缺少 containerDefinitions
数组中的 repositoryCredentials
部分。
应该是:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
},
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}