AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

AWS IoT Greengrass ECR Docker deployment: GET_ECR_CREDENTIAL_ERROR

0

Hey there, I tried to deploy a simple Docker image that I previously upoaded to a private repository on ECR on my Raspberry Pi. I uploaded the image using a different user than the one I have saved on through access keys on the RPI. However, both users have full access to all ECR services. Now the following error occurred as I tried to deploy the docker image:

GET_ECR_CREDENTIAL_ERROR: FAILED_NO_STATE_CHANGE: Failed to download artifact name: 'docker:242944196659.dkr.ecr.eu-central-1.amazonaws.com/test_repo:latest' for component com.example.MyPrivateDockerComponent-1.0.0, reason: Failed to get auth token for docker login. Failed to get credentials for ECR registry - 242944196659. User: arn:aws:sts::242944196659:assumed-role/GreengrassV2TokenExchangeRole/82ddfef99dfb0585b238481427e354b015fa33c72fd5cf52a6b5595df294438a is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action (Service: Ecr, Status Code: 400, Request ID: 60278c5f-3049-4b01-b9b8-ac4b54e6cb0c)

It seems to me that somehow my RPI is not authorized to dowload the private docker image. Any suggestions how I could solve this issue?

Thanks a lot in beforehand!

トピック
モノのインターネット (IoT)コンテナセキュリティ、アイデンティティ、コンプライアンス
タグ
AWS IoT GreengrassAmazon Elastic Container レジストリ (ECR)コンテナIAM アクセスアナライザー
言語
English
rePost-User-9168686
質問済み 1年前444ビュー
5回答
0

Hi. You added those to your user or the Greengrass device role?

https://docs.aws.amazon.com/greengrass/v2/developerguide/run-docker-container.html#run-docker-container-private-ecr

profile pictureAWS
エキスパート
Greg_B
回答済み 1年前
0

In the IAM console, find the role GreengrassV2TokenExchangeRole and then add an inline policy with the required permissions.

AWS
エキスパート
MassimilianoAWS
回答済み 1年前
0

just to clarify: I know that I need to add the following permissions to the user on my RPI, but I already granted it ecr:* so all of these should be included.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    }
  ]
}
rePost-User-9168686
回答済み 1年前
0

okay so apparently I need to add these permissions to my thing group that the IoT Greengrass Core device belongs to. Is that correct? and how do I do this?

rePost-User-9168686
回答済み 1年前
0

There are two things that need to do,

  1. Add permission for the role to do ecr permissions
  2. Also do the permissions in the ecr repository level access

Check and post here again if still issue

Saravana Kumar Damodharan
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ