在 AWS ECS 中使用来自私有外部注册表的 docker 映像
[英]Use docker image from private external registry in AWS ECS
问题描述
I am trying to run an image in AWS ECS hosted in my company's private registry.
我正在尝试在我公司私有注册表中托管的 AWS ECS 中运行映像。 According to AWS, this is entirely possible as long as I use the guide from https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html and follow the section Enabling private registry authentication .根据 AWS,这完全有可能,只要我使用https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html部分的指南并遵循Enabling private registry authentication部分。 I have created a secret in AWS Secrets Manager called testSecret in plaintext format with the json structure provided in the link above, like:我在 AWS Secrets Manager 中创建了一个名为testSecret的密文,采用纯文本格式,上面链接中提供了 json 结构,例如:
{
"username": "myuser",
"password": "mypass"
}
I reference it in my ECS job definition in the Secrets section with the name myRegistryCreds and then enter the ARN value of the secret above in the Value From section.我在Secrets部分的 ECS 作业定义中使用名称myRegistryCreds引用它,然后在Value From部分中输入上述密钥的 ARN 值。
Whenever I try to run the job though, I get the error below:每当我尝试运行该作业时,都会收到以下错误:
CannotPullContainerError: Error response from daemon: Head "https://myprivateregistry.com/myrepo/helloworld/manifests/latest": no basic auth credentials
The policy attached to my execution role mimics what is in the AWS guide as well:附加到我的执行角色的策略也模仿了 AWS 指南中的内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:<awsRegion>:<myAWSaccount>:secret:testSecret-CtEe8E",
"arn:aws:kms:*:<myAWSaccount>:key/*"
]
}
]
}
My task definition:我的任务定义:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": [
{
"name": "testSecret",
"valueFrom": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}
Does anyone know what I am missing / how to use an image from an external, private registry in AWS ECS?有谁知道我缺少什么/如何在 AWS ECS 中使用来自外部私有注册表的图像?
1 个解决方案
解决方案1
0 2022-01-25 18:15:07
Secrets Manager encrypts secrets by default - no option to store "plain text". Secrets Manager 默认加密秘密 - 没有存储“纯文本”的选项。 Check if task execution role has kms:Decrypt action allowed.检查任务执行角色是否允许kms:Decrypt操作。
Based on added task definition, you are missing the repositoryCredentials section in containerDefinitions array.根据添加的任务定义,您缺少containerDefinitions数组中的repositoryCredentials部分。
Should be:应该:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:aws-region:awsAccount:task-definition/my-task-definition:7",
"containerDefinitions": [
{
"name": "default",
"image": "myprivateregistry.com/myrepo/helloworld/manifests/latest",
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:aws-region:awsAccount:secret:testSecret-CtEe8E"
},
"cpu": 0,
"memory": 1,
"portMappings": [],
"essential": true,
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"linuxParameters": {
"tmpfs": []
},
"secrets": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/batch/job",
"awslogs-region": "aws-region",
"awslogs-stream-prefix": "my-task-definition"
}
}
}
],
"family": "my-task-definition",
"executionRoleArn": "arn:aws:iam::awsAccount:role/ecsTaskExecutionRole",
"networkMode": "host",
"revision": 7,
"volumes": [],
"status": "ACTIVE",
"requiresAttributes": [
{
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"name": "ecs.capability.execution-role-awslogs"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"name": "ecs.capability.secrets.asm.environment-variables"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.22"
},
{
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
}
],
"placementConstraints": [],
"compatibilities": [
"EXTERNAL",
"EC2"
],
"registeredAt": 1643130577.733,
"registeredBy": "arn:aws:sts::awsAccount:assumed-role/AWSServiceRoleForBatch/aws-batch"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.