[英]What permissions do I add in AWS to enable ecr:getAuthorizationToken?
I'm trying to follow the steps to use amazon elastic container registry (ECR) but I'm stuck at the first step, which is obtaining an auth token.我正在尝试按照使用亚马逊弹性容器注册表(ECR)的步骤,但我被困在第一步,即获取身份验证令牌。
Command:命令:
aws ecr get-login
Or...或者...
aws ecr get-login --region=us-west-2
Error:错误:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::9#####4:user/### is not authorized to perform: ecr:GetAuthorizationToken on resource: *
AWS Permissions on user for region us-west-2:区域 us-west-2 的用户 AWS 权限:
AmazonEC2FullAccess
AmazonEC2ContainerRegistryFullAccess
Billing
AdministratorAccess
AmazonECS_FullAccess
AWS CLI version: AWS CLI 版本:
aws help --version
aws-cli/1.14.40 Python/3.6.4 Darwin/18.2.0 botocore/1.8.44
Please note that you're not allowing your user any access to ECR in a sense. 请注意,您在某种意义上不允许用户访问ECR。 Try adding the following policy to the user:
尝试向用户添加以下策略:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": "*"
}]
}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryReadOnly https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html#AmazonEC2ContainerRegistryReadOnly
As general advice, ecr:GetAuthorizationToken
must apparently be applied to all resources *
but all other ECR permissions can be scoped.作为一般建议,
ecr:GetAuthorizationToken
显然必须应用于所有资源*
但所有其他 ECR 权限都可以限定范围。 When setting up ECR permissions as below, that user/role can login into Docker via CLI and still only access those images that user/role is supposed to.如下设置 ECR 权限时,该用户/角色可以通过 CLI 登录到 Docker 并且仍然只能访问该用户/角色应该访问的那些图像。
Example with scoped permissions:具有范围权限的示例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:aws:ecr:${region}:${account}:repository/${repo-name}"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
From my observations, scoping ecr:GetAuthorizationToken
to any ECR repositories will result in AccessDeniedException
.根据我的观察,将
ecr:GetAuthorizationToken
范围限定到任何 ECR 存储库都会导致AccessDeniedException
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.