AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Problems with cross account ECR permission

1

When trying to interact with an ECR registry, we are running in to permission problems. We've been beating our heads on this for some time, and have tried making the permissions as liberal as possible to troubleshoot what the problem is, but to no avail. We believe we're missing something very simple, but do not know what it is. Any suggestions would be appreciated. Below is the policy for our private registry in the web console.

{
  "Sid": "Organization-IA-Developers",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com"
  },
  "Action": "ecr:*",
  "Resource": "arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/*"
}

Here is the error message we receive:

Error reading manifest latest in
│ 68xxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/web: denied: User: arn:aws:sts::08xxxxxxxxxx:assumed-role/AWSReservedSSO_AWSAdministratorAccess_30xxxxxxxxxxxxxx/user@company.com is not authorized to
│ perform: ecr:BatchGetImage on resource: arn:aws:ecr:us-east-1:68xxxxxxxxxx:repository/inspire-web because no resource-based policy allows the ecr:BatchGetImage action"
トピック
コンテナ
タグ
Amazon Elastic Container レジストリ (ECR)
言語
English
Sheetzam
質問済み 2年前5092ビュー
1回答
0

Here is how we have set up our ECR permissions in our source account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPullTest",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRoleName"
        ]
      },
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ]
    }
  ]
}

Keep in mind that you also need to give your ECS Task Execution Role permissions in your destination account to do a BatchGetImage against this registry like so:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}
grahamschuckman
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ