[英]How to provision access to ECR for IAM user in ElasticBeanstalk Cloudformation template?
我有弹性豆茎模板如下。 我正在使用多容器 docker。 所以我单独将我的图像推送到 ECR。 在Dockerrun.json ,我像这样引用我的图像"image": "*****.dkr.ecr.ap-south-1.amazonaws.com/******:latest" 。 通过使用这个 CF 模板,我可以使用多容器创建 ELB。 但是在部署我的Dockerrun.json ,由于我的图像的权限被拒绝而失败。 所以我将Type: AWS::ECR::Repository到我的云形成中。我的 CF 中已经有MyInstanceProfile 。 这里我想给MyInstanceProfile添加 ECR 权限。 那么如何给 ElasticbeanStalk 云形成模板分配 ECR 权限呢?
Resources:
sampleApplication:
Type: AWS::ElasticBeanstalk::Application
Properties:
Description: AWS Elastic Beanstalk Sample Application
sampleApplicationVersion:
Type: AWS::ElasticBeanstalk::ApplicationVersion
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Application Version
SourceBundle:
S3Bucket: !Sub "elasticbeanstalk-ap-south-1-182107200133"
S3Key: TravelTouch/Dockerrun.aws.json
MyRepository:
Type: AWS::ECR::Repository
Properties:
RepositoryName: "test-repository"
RepositoryPolicyText:
Version: "2012-10-17"
Statement:
- Sid: AllowPushPull
Effect: Allow
Principal:
AWS:
/*
Here how to assign permission to MyInstanceProfile
*/
Action:
- "ecr:GetDownloadUrlForLayer"
- "ecr:BatchGetImage"
- "ecr:BatchCheckLayerAvailability"
- "ecr:PutImage"
- "ecr:InitiateLayerUpload"
- "ecr:UploadLayerPart"
- "ecr:CompleteLayerUpload"
sampleConfigurationTemplate:
Type: AWS::ElasticBeanstalk::ConfigurationTemplate
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Configuration Template
OptionSettings:
- Namespace: aws:autoscaling:asg
OptionName: MinSize
Value: '2'
- Namespace: aws:autoscaling:asg
OptionName: MaxSize
Value: '6'
- Namespace: aws:elasticbeanstalk:environment
OptionName: EnvironmentType
Value: LoadBalanced
- Namespace: aws:autoscaling:launchconfiguration
OptionName: IamInstanceProfile
Value: !Ref MyInstanceProfile
SolutionStackName: 64bit Amazon Linux 2018.03 v2.26.0 running Multi-container Docker 19.03.13-ce (Generic)
sampleEnvironment:
Type: AWS::ElasticBeanstalk::Environment
Properties:
ApplicationName:
Ref: sampleApplication
Description: AWS ElasticBeanstalk Sample Environment
TemplateName:
Ref: sampleConfigurationTemplate
VersionLabel:
Ref: sampleApplicationVersion
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
MyInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref MyInstanceRole```
通常,您会指定角色的 ARN :
Principal:
AWS: !GetAtt MyInstanceRole.Arn
更新:
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Description: Beanstalk EC2 role
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
- arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
- arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
Policies:
- PolicyName: AllowGetAuthorizationToken
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
],
"Resource": "*"
}
]
}
如何识别定义了 IAM 角色的 CloudFormation 模板?
[英]How to identify CloudFormation template that defined IAM role?
如何使用单个cloudformation模板创建多个Elasticbeanstalk环境
[英]How to create multiple Elasticbeanstalk environments using a single cloudformation template
如何在Cloudformation模板中指定Lambda函数和IAM角色名称
[英]How to specify lambda function and IAM role name in cloudformation template
如何在Cloudformation模板参数中创建IAM角色下拉列表
[英]How can I create IAM Role Dropdown in Cloudformation Template Parameters
AWS::ElasticBeanstalk::ConfigurationTemplate 的 AWS CloudFormation 模板失败
[英]AWS CloudFormation template for AWS::ElasticBeanstalk::ConfigurationTemplate is failing
如何在 aws cloudformation 模板中限制特定于 SQS 的 IAM 角色
[英]How to restrict IAM Role specific to SQS in aws cloudformation template
AWS Cloudformation:是否可以在Cloudformation模板中访问用户ID?
[英]AWS Cloudformation: Is it possible to access user id inside a Cloudformation template?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.