[英]Use docker image from private external registry in AWS ECS
I am trying to run an image in AWS ECS hosted in my company's private registry.我正在尝试在我公司私有注册表中托管的 AWS ECS 中运行映像。 According to AWS, this is entirely possible as long as I use the guide from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html and follow the section
Enabling private registry authentication
.根据 AWS,这完全有可能,只要我使用https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html部分的指南并遵循
Enabling private registry authentication
部分。 I have created a secret in AWS Secrets Manager called testSecret
in plaintext format with the json structure provided in the link above, like:我在 AWS Secrets Manager 中创建了一个名为
testSecret
的密文,采用纯文本格式,上面链接中提供了 json 结构,例如:
{
"username": "myuser",
"password": "mypass"
}
I reference it in my ECS job definition in the Secrets
section with the name myRegistryCreds
and then enter the ARN value of the secret above in the Value From
section.我在
Secrets
部分的 ECS 作业定义中使用名称myRegistryCreds
引用它,然后在Value From
部分中输入上述密钥的 ARN 值。
Whenever I try to run the job though, I get the error below:每当我尝试运行该作业时,都会收到以下错误:
CannotPullContainerError: Error response from daemon: Head "https://myprivateregistry.com/myrepo/helloworld/manifests/latest": no basic auth credentials
The policy attached to my execution role mimics what is in the AWS guide as well:附加到我的执行角色的策略也模仿了 AWS 指南中的内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:<awsRegion>:<myAWSaccount>:secret:testSecret-CtEe8E",
"arn:aws:kms:*:<myAWSaccount>:key/*"
]
}
]
}
My task definition:我的任务定义:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": [
{
"name": "testSecret",
"valueFrom": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}
Does anyone know what I am missing / how to use an image from an external, private registry in AWS ECS?有谁知道我缺少什么/如何在 AWS ECS 中使用来自外部私有注册表的图像?
Secrets Manager encrypts secrets by default - no option to store "plain text". Secrets Manager 默认加密秘密 - 没有存储“纯文本”的选项。 Check if task execution role has
kms:Decrypt
action allowed.检查任务执行角色是否允许
kms:Decrypt
操作。
Based on added task definition, you are missing the repositoryCredentials
section in containerDefinitions
array.根据添加的任务定义,您缺少
containerDefinitions
数组中的repositoryCredentials
部分。
Should be:应该:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
},
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.