未授权执行:ecr:GetAuthorizationToken on resource: * 因为没有基于身份的策略允许 ecr:GetAuthorizationToken

【问题标题】:Not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken未授权执行:ecr:GetAuthorizationToken on resource: * 因为没有基于身份的策略允许 ecr:GetAuthorizationToken
【发布时间】:2022-07-25 00:13:27
【问题描述】:

我是 Terraform 的新手,我正在尝试将 Docker 映像从 AWS ECR 部署到 ECS。但是,我收到以下错误。有人可以帮助解决这个问题吗?

ResourceInitializationError: unable to pull secrets or registry auth:
execution resource retrieval failed: unable to retrieve ecr registry
auth: service call has been retried 1 time(s):
AccessDeniedException: User: arn:aws:sts::AccountID:assumed-role/ecsExecution-1/25d077c2af604f4e93feead72a141e3g is not authorized to perform: 
ecr:GetAuthorizationToken on resource: * 
because no identity-based policy allows the 
ecr:GetAuthorizationToken action 
status code: 400, request id: 1a1bee4c-5ab6-4b44-bbf8-5586edea6b3g*

这是我的代码

resource \"aws_ecs_cluster\" \"first-cluster\" {
  name = \"test-docker-deploy\"
}

resource \"aws_ecs_task_definition\"  \"first-task\" {
  family                = \"first-task\"
  container_definitions = <<TASK_DEFINITION
  [
    {
      \"name\": \"first-task\",
      \"image\": \"899696473236.dkr.ecr.us-east-1.amazonaws.com/first-repo:nginx-demo\",
      \"cpu\": 256,
      \"memory\": 512,
      \"essential\": true,
      \"portMappings\": [
        {
          \"containerPort\": 80,
          \"hostPort\": 80
        }
      
      ]
    }

  ]
  TASK_DEFINITION
  requires_compatibilities = [\"FARGATE\"]
  network_mode             = \"awsvpc\"
  cpu                      = 256
  memory                   = 512
  execution_role_arn       = \"${aws_iam_role.Execution_Role.arn}\"

}

resource \"aws_iam_role\" \"Execution_Role\" {
  name                = \"ecsExecution-1\"
  assume_role_policy  = \"${data.aws_iam_policy_document.role_policy.json}\"
}

data \"aws_iam_policy_document\" \"role_policy\" {
  statement {
    actions = [\"sts:AssumeRole\"]

    principals {
      type        = \"Service\"
      identifiers = [\"ecs-tasks.amazonaws.com\"]
    }
  }
}

resource \"aws_ecs_service\" \"first-service\"{
    name                    = \"docker-service\"
    cluster                 = \"${aws_ecs_cluster.first-cluster.id}\"
    task_definition         = \"${aws_ecs_task_definition.first-task.arn}\"
    launch_type             = \"FARGATE\"
    desired_count           = 1

    network_configuration {
        subnets            = [\"${aws_default_subnet.subnet-a.id}\"]
        assign_public_ip   = true
    }
}

resource \"aws_default_vpc\" \"default\" {
}

resource \"aws_default_subnet\" \"subnet-a\" {
  availability_zone = \"us-east-1a\"
}

    标签: amazon-web-services terraform amazon-ecs terraform-provider-aws amazon-ecr


    【解决方案1】:

    除了具有承担角色策略(即权限或信任策略)之外,您还需要具有执行策略 [1]。前者说ECS任务可以在后台担任角色,后者说ECS任务在担任该角色时可以做什么。因此,权限策略是正确的,但您需要以下代码才能使其工作(即ecs_task_policy):

    data "aws_iam_policy_document" "ecs_task_policy" {
  statement {
    sid = "EcsTaskPolicy"

    actions = [
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:BatchGetImage"
    ]

    resources = [
      "*" # you could limit this to only the ECR repo you want
    ]
  }
  statement {

    actions = [
      "ecr:GetAuthorizationToken"
    ]

    resources = [
      "*"
    ]
  }

  statement {

    actions = [
      "logs:CreateLogGroup",
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]

    resources = [
      "*"
    ]
  }

}

resource "aws_iam_role" "Execution_Role" {
  name               = "ecsExecution-1"
  assume_role_policy = data.aws_iam_policy_document.role_policy.json

  inline_policy {
    name   = "EcsTaskExecutionPolicy"
    policy = data.aws_iam_policy_document.ecs_task_policy.json
  }
}

data "aws_iam_policy_document" "role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    }
  }
}

    另请注意,根据您用于任务的 Docker 映像内部的内容,可能需要向执行策略添加更多 AWS 权限。 ECR 存储库访问权限可以限制为 Docker 映像所在的 ECR 存储库的 ARN。理论上,此时可能不需要日志权限,但是如果您想查看是否有任何错误,则需要将日志发送到某个地方。如果需要,您还必须将 logConfiguration 部分添加到任务定义中 [2]。

    [1]https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.html

    [2]https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#create_awslogs_loggroups

    【讨论】:

      猜你喜欢
      • 2022-12-21
      • 1970-01-01
      • 2016-03-17
      • 1970-01-01
      • 2021-01-20
      • 2021-11-07
      • 1970-01-01
      • 2015-01-18
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode