[英]Unable to Create Policy for AWS ECR
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": [
"xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
]
}
]
}
我嘗試使用的命令是:
aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json
如果我在我的 linux 機器上執行ls
,我可以在運行此命令的同一文件夾中看到此ecr-policy.json
。
我想授予自己訪問權限。
我總是收到錯誤:
調用 SetRepositoryPolicy 操作時發生錯誤 (InvalidParameterException):“PolicyText”處的無效參數無法滿足約束:“提供的存儲庫策略無效”
我檢查了我的 AWS ARN,它以root
結尾。
i want to grant access to myself.
您不需要資源部分,因為此語句將附加到特定存儲庫。 嘗試在 Console > ECR > Repositories > [Select a repo on the Images
table] > Permissions添加以下語句:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account #>:user/<your IAM user name>",
"arn:aws:iam::<account #>:root"
]
},
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
注意:將 <account #> 替換為您的 AWS 賬戶 ID。
刪除策略 json 文件中的Resource
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:user/root"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchDeleteImage",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
或者您可以在 AWS 控制台上設置
Amazon ECR > Repositories
permissions
選項卡嘗試以下格式的資源:
arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.