AWS Lambda from cross account ECR: Lambda 没有访问ECR镜像的权限
[英]AWS Lambda from cross account ECR : Lambda does not have permission to access the ECR image
问题描述
I'm trying to create a lambda function in account B from an ECR Image from another account A but i'm encountering a Lambda does not have permission to access the ECR image error.
我正在尝试从另一个帐户 A 的 ECR 图像在帐户 B 中创建一个 lambda function,但我遇到了Lambda 没有权限访问 ECR 图像错误。
I created the following ECR policy following this :我在此之后创建了以下 ECR 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountPermission",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::BBBBBBBBBBBB:root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:sourceArn:": "arn:aws:lambda:eu-west-1:BBBBBBBBBBBB:function:*"
}
}
}
]
}
I'm using aws sso assumed role to perform the lambda creation, i don't know if this has an impact.我正在使用 aws sso 承担的角色来执行 lambda 创建,我不知道这是否有影响。
Account B and A are not in the same AWS Organization unit.账户 B 和 A 不在同一个 AWS 组织单位中。
Things i tested:我测试的东西:
- If i remove the condition from the statement targeting the lambda service, the error goes away, but obviously it's not a permanent solution.如果我从针对 lambda 服务的语句中删除条件,错误就会消失,但显然这不是永久解决方案。
- Running an ECS Task using the same ECR image in account B works fine.在账户 B 中使用相同的 ECR 映像运行 ECS 任务工作正常。
- I tried following the SAM tutorial here and i encountered the same issue.我尝试按照此处的 SAM 教程进行操作,但遇到了同样的问题。
I'm running out of things to check and i would really like to avoid copying the ECR image in account B.我没有什么要检查的了,我真的很想避免复制账户 B 中的 ECR 图像。
Do you have any idea why the example policy doesn't seem to work?您知道为什么示例策略似乎不起作用吗?
How can i narrow the policy from everything coming from the lambda service?我如何缩小来自 lambda 服务的所有内容的政策? I was planning to use aws:PrincipalOrgPaths to allow multiple organization units but this doesn't seem to work with the lambda principal.我打算使用aws:PrincipalOrgPaths来允许多个组织单位,但这似乎不适用于 lambda 委托人。
4 个解决方案
解决方案1
1 2022-03-12 21:39:59
As I stated in my comment, it was a dumb typo, as is often the case with policies.正如我在评论中所说,这是一个愚蠢的错字,就像政策一样。
I used "aws:sourceArn:": instead of "aws:sourceArn": ...我使用了"aws:sourceArn:":而不是"aws:sourceArn": ...
解决方案2
0 2022-06-23 07:58:46
You can use aws:ResourceOrgID您可以使用aws:ResourceOrgID
This is new feature https://aws.amazon.com/jp/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/这是新功能https://aws.amazon.com/jp/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
解决方案3
0 2022-07-14 22:11:16
I spent way too much time on this today so hopefully it helps someone else, but I finally was able to share images with entire org using the following repository policy...我今天在这上面花了太多时间,所以希望它可以帮助其他人,但我终于能够使用以下存储库策略与整个组织共享图像......
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossOrgPermission",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:PrincipalOrgID": "x-xxxxxxxxx"
}
}
},
{
"Sid": "LambdaECRImageCrossOrgRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:ResourceOrgID": "x-xxxxxxxxx"
}
}
}
]
}
My CrossOrgPermission is a little more broad than what is here, but I believe it should still work as shown.我的 CrossOrgPermission 比这里的要广泛一些,但我相信它应该仍然可以如图所示工作。
解决方案4
0 2023-01-02 15:03:13
Contrary to what is suggested above, aws:ResourceOrgID will not do what is required in this case.与上面的建议相反, aws:ResourceOrgID在这种情况下不会执行所需的操作。 Even worse, it will open your ECR for access to any lambda in any account.更糟糕的是,它会打开你的 ECR 以访问任何帐户中的任何 lambda。
The AWS blog describes aws:ResourceOrgID as "AWS organization ID of the resource being accessed". AWS 博客将 aws:ResourceOrgID 描述为“正在访问的资源的 AWS 组织 ID”。 This condition is always true, because the resource being accessed - your ECR - belongs to your organization.此条件始终为真,因为正在访问的资源 - 您的 ECR - 属于您的组织。 It does not say anything about the lambda that accesses ECR.它没有说明访问 ECR 的 lambda。
Further, in my communication with AWS support they have confirmed that using aws:PrincipalOrgId does not work as well.此外,在我与 AWS 支持人员的沟通中,他们确认使用 aws:PrincipalOrgId 也不起作用。 Quoting their response:引用他们的回应:
When permissions are being granted to service principles like "lambda.amazonaws.com" they do not support PrincipleOrgPaths or PrincipalOrgId condition keys.
The only way to make it work is to use the aws:SourceARN condition key, explicitely mentioning each lambda, which is going to access your ECR.使其工作的唯一方法是使用 aws:SourceARN 条件键,明确提及每个 lambda,它将访问您的 ECR。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.