Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Problems with cross account ECR permission

1

When trying to interact with an ECR registry, we are running in to permission problems. We've been beating our heads on this for some time, and have tried making the permissions as liberal as possible to troubleshoot what the problem is, but to no avail. We believe we're missing something very simple, but do not know what it is. Any suggestions would be appreciated. Below is the policy for our private registry in the web console.

{
  "Sid": "Organization-IA-Developers",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com"
  },
  "Action": "ecr:*",
  "Resource": "arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/*"
}

Here is the error message we receive:

Error reading manifest latest in
│ 68xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/web: denied: User: arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com is not authorized to
│ perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/inspire-web because no resource-based policy allows the ecr:BatchGetImage action"
Argomenti
Container
Tag
Registro dei container di Amazon Elastic (ECR)
Lingua
English
Sheetzam
posta 2 anni fa5090 visualizzazioni
1 Risposta
0

Here is how we have set up our ECR permissions in our source account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPullTest",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRoleName"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Keep in mind that you also need to give your ECS Task Execution Role permissions in your destination account to do a BatchGetImage against this registry like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
grahamschuckman
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente