[英]AWS Lambda from cross account ECR : Lambda does not have permission to access the ECR image
I'm trying to create a lambda function in account B from an ECR Image from another account A but i'm encountering a Lambda does not have permission to access the ECR image error.我正在尝试从另一个帐户 A 的 ECR 图像在帐户 B 中创建一个 lambda function,但我遇到了Lambda 没有权限访问 ECR 图像错误。
I created the following ECR policy following this :我在此之后创建了以下 ECR 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossAccountPermission",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::BBBBBBBBBBBB:root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:sourceArn:": "arn:aws:lambda:eu-west-1:BBBBBBBBBBBB:function:*"
}
}
}
]
}
I'm using aws sso assumed role to perform the lambda creation, i don't know if this has an impact.我正在使用 aws sso 承担的角色来执行 lambda 创建,我不知道这是否有影响。
Account B and A are not in the same AWS Organization unit.账户 B 和 A 不在同一个 AWS 组织单位中。
Things i tested:我测试的东西:
I'm running out of things to check and i would really like to avoid copying the ECR image in account B.我没有什么要检查的了,我真的很想避免复制账户 B 中的 ECR 图像。
Do you have any idea why the example policy doesn't seem to work?您知道为什么示例策略似乎不起作用吗?
How can i narrow the policy from everything coming from the lambda service?我如何缩小来自 lambda 服务的所有内容的政策? I was planning to use aws:PrincipalOrgPaths
to allow multiple organization units but this doesn't seem to work with the lambda principal.我打算使用aws:PrincipalOrgPaths
来允许多个组织单位,但这似乎不适用于 lambda 委托人。
As I stated in my comment, it was a dumb typo, as is often the case with policies.正如我在评论中所说,这是一个愚蠢的错字,就像政策一样。
I used "aws:sourceArn:":
instead of "aws:sourceArn":
...我使用了"aws:sourceArn:":
而不是"aws:sourceArn":
...
You can use aws:ResourceOrgID
您可以使用aws:ResourceOrgID
This is new feature https://aws.amazon.com/jp/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/这是新功能https://aws.amazon.com/jp/blogs/security/how-to-control-access-to-aws-resources-based-on-aws-account-ou-or-organization/
I spent way too much time on this today so hopefully it helps someone else, but I finally was able to share images with entire org using the following repository policy...我今天在这上面花了太多时间,所以希望它可以帮助其他人,但我终于能够使用以下存储库策略与整个组织共享图像......
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CrossOrgPermission",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:PrincipalOrgID": "x-xxxxxxxxx"
}
}
},
{
"Sid": "LambdaECRImageCrossOrgRetrievalPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Condition": {
"StringLike": {
"aws:ResourceOrgID": "x-xxxxxxxxx"
}
}
}
]
}
My CrossOrgPermission is a little more broad than what is here, but I believe it should still work as shown.我的 CrossOrgPermission 比这里的要广泛一些,但我相信它应该仍然可以如图所示工作。
Contrary to what is suggested above, aws:ResourceOrgID will not do what is required in this case.与上面的建议相反, aws:ResourceOrgID在这种情况下不会执行所需的操作。 Even worse, it will open your ECR for access to any lambda in any account.更糟糕的是,它会打开你的 ECR 以访问任何帐户中的任何 lambda。
The AWS blog describes aws:ResourceOrgID as "AWS organization ID of the resource being accessed". AWS 博客将 aws:ResourceOrgID 描述为“正在访问的资源的 AWS 组织 ID”。 This condition is always true, because the resource being accessed - your ECR - belongs to your organization.此条件始终为真,因为正在访问的资源 - 您的 ECR - 属于您的组织。 It does not say anything about the lambda that accesses ECR.它没有说明访问 ECR 的 lambda。
Further, in my communication with AWS support they have confirmed that using aws:PrincipalOrgId does not work as well.此外,在我与 AWS 支持人员的沟通中,他们确认使用 aws:PrincipalOrgId 也不起作用。 Quoting their response:引用他们的回应:
When permissions are being granted to service principles like "lambda.amazonaws.com" they do not support PrincipleOrgPaths or PrincipalOrgId condition keys.当向“lambda.amazonaws.com”等服务原则授予权限时,它们不支持 PrincipleOrgPaths 或 PrincipalOrgId 条件键。 This is because the Lambda service principal does not exist within an organization, while an identity like a user/role does.这是因为 Lambda 服务主体在组织中不存在,而像用户/角色这样的身份却存在。
The only way to make it work is to use the aws:SourceARN condition key, explicitely mentioning each lambda, which is going to access your ECR.使其工作的唯一方法是使用 aws:SourceARN 条件键,明确提及每个 lambda,它将访问您的 ECR。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.