[英]Question about configuring policy for uploading docker image to ECR in Jenkins
我创建了一个新角色,用于使用 Jenkins 将 docker 图像上传到 ECR,我附上了我在这里找到的这个政策
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"ListImagesInRepository",
"Effect":"Allow",
"Action":[
"ecr:ListImages"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
},
{
"Sid":"GetAuthorizationToken",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken"
],
"Resource":"*"
},
{
"Sid":"ManageRepositoryContents",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource":"arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
}
]
}
我在 Policy Simulator 中测试,它给了我拒绝:
我怀疑 ARN 有问题,我只找到了一个 URL 用于 ECR 回购,但我根据示例更改了格式,有人可以帮助我吗? 现在已经为它苦苦挣扎了很长时间。
问题出在Simulation Resource
上。 您正在测试*
,但您的政策明智地不允许全部。 您应该针对您需要访问的资源的实际 ARN 对其进行测试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.