使用 ECS Fargate 和 Terraform 访问私有 docker 注册表
Access a private docker registry with ECS Fargate and Terraform
我需要我的 ECS 任务定义来包含我的私有 Docker 注册表的凭据,如果可能的话使用一个简单的令牌,或者 user:password.
下面是我的代码:
resource "aws_secretsmanager_secret" "docker_registry_secret" {
name_prefix = "/my_environment/registry/pwd"
}
resource "aws_secretsmanager_secret_version" "docker_registry_secret_version" {
secret_id = aws_secretsmanager_secret.docker_registry_secret.id
secret_string = xxxMYTOKENxxx
}
resource "aws_iam_role_policy" "password_policy_secretsmanager" {
name = "${var.task_name}-secretsmanager"
role = aws_iam_role.MY_ECS_ROLE.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": [
"${aws_secretsmanager_secret.docker_registry_secret.arn}",
]
}
]
}
EOF
}
resource "aws_ecs_task_definition" "task_to_be_scheduled" {
.....
....
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
container_definitions = jsonencode([
{
"repositoryCredentials" : {
"credentialsParameter" : aws_secretsmanager_secret.docker_registry_secret.arn
},
....
....
])
}
但是,当我启动我的任务时,我的 ECS 上出现以下错误:无法从 asm
解组授权数据的秘密值
我很确定错误与秘密管理器有关,但不确定具体位置。知道我做错了什么吗?
我希望这个回答可以帮助到其他人。我犯了两个错误:
- 在我的任务定义中,我只设置了 execution_role_arn 字段。我忘了添加 task_role_arn.
# before
resource "aws_ecs_task_definition" "task_to_be_scheduled" {
execution_role_arn = aws_iam_role.ecs_role.arn
....
}
# after
resource "aws_ecs_task_definition" "task_to_be_scheduled" {
execution_role_arn = aws_iam_role.ecs_role.arn
task_role_arn = aws_iam_role.ecs_role.arn
....
}
- 我使用令牌作为凭证参数,而不是诸如 {"username" : "gitlab-ci-token", "password" : "your-password"}
# before
container_definitions = jsonencode([
{
"repositoryCredentials" : {
"credentialsParameter" : "any-token-as-string"
},
....
}]
# after
container_definitions = jsonencode([
{
"repositoryCredentials" : {
"credentialsParameter" : {"username" : "gitlab-ci-token", "password" : "your-password"}
},
....
}]
我需要我的 ECS 任务定义来包含我的私有 Docker 注册表的凭据,如果可能的话使用一个简单的令牌,或者 user:password.
下面是我的代码:
resource "aws_secretsmanager_secret" "docker_registry_secret" {
name_prefix = "/my_environment/registry/pwd"
}
resource "aws_secretsmanager_secret_version" "docker_registry_secret_version" {
secret_id = aws_secretsmanager_secret.docker_registry_secret.id
secret_string = xxxMYTOKENxxx
}
resource "aws_iam_role_policy" "password_policy_secretsmanager" {
name = "${var.task_name}-secretsmanager"
role = aws_iam_role.MY_ECS_ROLE.id
policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": [
"${aws_secretsmanager_secret.docker_registry_secret.arn}",
]
}
]
}
EOF
}
resource "aws_ecs_task_definition" "task_to_be_scheduled" {
.....
....
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
container_definitions = jsonencode([
{
"repositoryCredentials" : {
"credentialsParameter" : aws_secretsmanager_secret.docker_registry_secret.arn
},
....
....
])
}
但是,当我启动我的任务时,我的 ECS 上出现以下错误:无法从 asm
解组授权数据的秘密值我很确定错误与秘密管理器有关,但不确定具体位置。知道我做错了什么吗?
我希望这个回答可以帮助到其他人。我犯了两个错误:
- 在我的任务定义中,我只设置了 execution_role_arn 字段。我忘了添加 task_role_arn.
# before
resource "aws_ecs_task_definition" "task_to_be_scheduled" {
execution_role_arn = aws_iam_role.ecs_role.arn
....
}
# after
resource "aws_ecs_task_definition" "task_to_be_scheduled" {
execution_role_arn = aws_iam_role.ecs_role.arn
task_role_arn = aws_iam_role.ecs_role.arn
....
}
- 我使用令牌作为凭证参数,而不是诸如 {"username" : "gitlab-ci-token", "password" : "your-password"}
# before
container_definitions = jsonencode([
{
"repositoryCredentials" : {
"credentialsParameter" : "any-token-as-string"
},
....
}]
# after
container_definitions = jsonencode([
{
"repositoryCredentials" : {
"credentialsParameter" : {"username" : "gitlab-ci-token", "password" : "your-password"}
},
....
}]