堆棧內存溢出
  簡體   English   中英

ECS unable to pull secrets or registry auth,與 api.ecr 端點相關,Resourceinitializationerror

[英]ECS unable to pull secrets or registry auth, related to the api.ecr endpoint, Resourceinitializationerror

 原文  2023-02-01 19:49:28       amazon-web-services/ amazon-ecs/ aws-secrets-manager/ amazon-ecr

問題描述

我已經嘗試了這里這里這里以及幾乎所有來自 Google 的關於錯誤的 SO 文章。

我有一個私人 ECR 映像,我正嘗試在公共 su.net 中使用 ECS 服務提取該映像。

嘗試創建 ECS 服務時出錯:

Resourceinitializationerror: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "https://api.ecr.us-west-2.amazonaws.com/": dial tcp: lookup api.ecr.us-west-2.amazonaws.com: i/o timeout

任務定義:

{
    "family": "chat-app-frontend",
    "containerDefinitions": [
        {
            "name": "frontend",
            "image": "576765093341.dkr.ecr.us-west-2.amazonaws.com/frontend:latest",
            "cpu": 0,
            "portMappings": [
                {
                    "name": "frontend-80-tcp",
                    "containerPort": 80,
                    "hostPort": 80,
                    "protocol": "tcp",
                    "appProtocol": "http"
                }
            ],
            "essential": true,
            "environment": [],
            "mountPoints": [],
            "volumesFrom": [],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-create-group": "true",
                    "awslogs-group": "/ecs/chat-app-frontend",
                    "awslogs-region": "us-west-2",
                    "awslogs-stream-prefix": "ecs"
                }
            }
        }
    ],
    "taskRoleArn": "arn:aws:iam::576765093341:role/ecsTaskExecutionRole",
    "executionRoleArn": "arn:aws:iam::576765093341:role/ecsTaskExecutionRole",
    "networkMode": "awsvpc",
    "requiresCompatibilities": [
        "FARGATE"
    ],
    "cpu": "1024",
    "memory": "3072",
    "runtimePlatform": {
        "cpuArchitecture": "X86_64",
        "operatingSystemFamily": "LINUX"
    },
    "tags": [
        {
            "key": "ecs:taskDefinition:createdFrom",
            "value": "ecs-console-v2"
        }
    ]
}

ECS 任務執行角色。

在此處輸入圖像描述

ecs-額外服務訪問:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "ssm:GetParameters",
                "secretsmanager:GetSecretValue",
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:ListSecrets"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-west-2:576765093341:secret:prod/ecr-private-registry",
                "arn:aws:kms:us-west-2:576765093341:key/807cbd08-a0ce-4948-b681-a49c7553003a"
            ]
        }
    ]
}

VPC 端點

這些都附在公共 su.net 上。

在此處輸入圖像描述 在此處輸入圖像描述

com.amazonaws.us-west-2.secretsmanager 的端點策略

{
    "Statement": [
        {
            "Sid": "AccessSpecificAccount",
            "Principal": {
                "AWS": "*"
            },
            "Action": "secretsmanager:*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

保安組

適用於 ECS 任務和所有端點在此處輸入圖像描述

其他配置

  • 任務定義 public IP create enabled
  • su.nets public IP 創建啟用
  • 啟用 VPC DNS 解析和主機名
  • 使用標志創建存儲庫 docker 圖像--endpoint-url https://api.ecr.us-west-2.amazonaws.com
  • 嘗試使用 ECR 私有注冊表權限,但它們在沒有特定原因的情況下被“不允許”。

我還想指出,沒有生成任何日志,這讓我懷疑整個 taskExecutionRole(我的額外權限策略)沒有以某種方式應用。

2 個解決方案

解決方案1
 0  2023-02-02 03:35:50

我在零配置(默認安全組)的默認 VPC 中啟動了該任務,它成功了。 我的 VPC 配置有問題。

解決方案2
 0  2023-02-02 20:11:01

我想補充一點,我能夠創建自定義 VPC 並使其正常工作,但如果我使用此模塊創建 VPC,它總是會失敗。

https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 AWS ECS Fargate Platform 1.4 錯誤 ResourceInitializationError: unable to pull secrets or registry auth: execution resource 無法提取機密或注冊表驗證:執行資源檢索失敗:無法從 asm 檢索機密 ECS 服務無法從 ECR 拉取 EventBridge 中的 ECS Fargate 任務因 ResourceInitializationError 失敗 在 Jenkinsfile 中對 ECR 進行授權,以便我可以提取圖像來運行構建? 如何解決 Fargate 上 ECS 中任務執行的“ResourceInitializationError”錯誤? 使用注冊表獲取鏡像拉取歷史 API aws ecs服務需要重新部署才能讀取secrets 更新 ECS 容器中的環境變量 Secret 在 ECS 集群中運行來自 AWS ECR 的公共鏡像
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM