[英]AWS ECS Fargate pull image from a cross account ECR repo
I have 2 AWS accounts: - account A that has an ECR repo. 我有2个AWS账户: - 账户A有ECR回购。 - account b that has an ECS cluster running Fargate. - 具有运行Fargate的ECS集群的帐户b。
I have created a "cross-account" role in account A with trust relations to account B, also I have attached the "AmazonEC2ContainerRegistryPowerUser" policy to this role. 我在帐户A中创建了一个“交叉帐户”角色,并且与帐户B建立了信任关系,我也将“AmazonEC2ContainerRegistryPowerUser”政策附加到此角色。
I gave access to the ECR repository in account A by adding account B's id and the "cross-account" role to the repository policy. 我通过将帐户B的id和“跨帐户”角色添加到存储库策略来访问帐户A中的ECR存储库。
I attached a policy to the fargate "TaskExecutionRole" allowing fargate to assume the "cross-account" role. 我将一个策略附加到fargate“TaskExecutionRole”,允许fargate承担“跨账户”角色。
When trying to deploy a Fargate task in account B with a reference to an image in account A I'm getting a 500 error. 当尝试在帐户B中部署Fargate任务并引用帐户A中的图像时,我收到500错误。
Fargate will not automatically assume a cross-account role. Fargate不会自动承担跨账户角色。 Fortunately, you do not need to assume a role in another account in order to pull images from that account's ECR repository. 幸运的是,您不需要在另一个帐户中担任角色,以便从该帐户的ECR存储库中提取图像。
To enable cross-account access to an image in ECR, add access for account B in account A's repository (by setting the repository policy ), and then specify a TaskExecutionRole in account B that has permissions to pull from ECR ("ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability"). 要在ECR中启用对图像的跨帐户访问,请在帐户A的存储库中添加帐户B的访问权限(通过设置存储库策略 ),然后在帐户B中指定具有从ECR提取权限的TaskExecutionRole(“ecr:GetDownloadUrlForLayer” ,“ecr:BatchGetImage”,“ecr:BatchCheckLayerAvailability”)。
For example, set a repository policy on the repository in account A like the following: 例如,在帐户A中的存储库上设置存储库策略,如下所示:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
]
}
]
}
Then, set your TaskExecutionRole in account B to have a policy like this: 然后,将帐户B中的TaskExecutionRole设置为具有如下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
}
]
}
Alternately, you can use the managed policy AmazonECSTaskExecutionRolePolicy
for your TaskExecutionRole instead of defining your own. 或者,您可以使用托管策略AmazonECSTaskExecutionRolePolicy
作为TaskExecutionRole而不是定义自己的策略。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.