- Newest
- Most votes
- Most comments
Can you share a screenshot or information for Route53 Hosted Zone and Record how currently configured for PrivateLink's domain setup? Additionally, I would like to check the security group rules connected to PrivateLink.
Hi, Thanks for helping. Yes. I have everything setup in cfn so...
This is one of the Hosted Private zones (the dkr one, created in the SHARED resources account, where of course the ecr repos live):
PrivateHostedZoneEcrDkr:
Type: "AWS::Route53::HostedZone"
Properties:
HostedZoneConfig:
Comment: "Private hosted zone for ecr dkr vpc endpoint"
Name: "dkr.ecr.eu-west-1.amazonaws.com"
VPCs:
- VPCId: !FindInMap [Environments, !Ref Environment, VPC]
VPCRegion: !Sub ${AWS::Region}
HostedZoneTags:
- Key: ApplicationName
Value: !Ref ApplicationName
- Key: Availability
Value: !Ref Availability
- Key: ContactPerson
Value: !Ref ContactPerson
- Key: Environment
Value: !Ref Environment
- Key: Monitor
Value: !Ref Monitor
- Key: ProjectName
Value: !Ref ProjectName
The security group rules for the private link(dkr) and private link setup:
EcrDkrEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS:
- "arn:aws:iam::5*********0:root" # NonPrd
- "arn:aws:iam::1*********3:root" # Prd
- !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
- ecr:BatchCheckLayerAvailability
- ecr:PutImage
- ecr:InitiateLayerUpload
- ecr:UploadLayerPart
- ecr:CompleteLayerUpload
Resource:
- !Sub "arn:aws:ecr:${AWS::Region}:289334807197:repository/*"
VpcId: !FindInMap [Environments, !Ref Environment, VPC]
VpcEndpointType: Interface
PrivateDnsEnabled: false
SecurityGroupIds:
- !GetAtt VPCESecurityGroup.GroupId
SubnetIds:
- !Select [
0,
!FindInMap [Environments, !Ref Environment, PrivateSubnets],
]
- !Select [
1,
!FindInMap [Environments, !Ref Environment, PrivateSubnets],
]
- !Select [
2,
!FindInMap [Environments, !Ref Environment, PrivateSubnets],
]
ServiceName:
Fn::Join:
- ""
- - "com.amazonaws."
- !Ref "AWS::Region"
- ".ecr.dkr"
VPCSecurityGroup:
VPCESecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: !Sub "vpc-endpoint-sg-${Environment}"
GroupDescription: "VPCE endpoint security group"
VpcId: !FindInMap [Environments, !Ref Environment, VPC]
SecurityGroupIngress:
- CidrIp: !FindInMap [Environments, !Ref Environment, CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !FindInMap [Environments, "prd", CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !FindInMap [Environments, "staging", CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
- CidrIp: !FindInMap [Environments, "qa", CIDR]
FromPort: 443
IpProtocol: tcp
ToPort: 443
One more important thing probably. If I try to do a get-login on a ec2 I get this: is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no VPC endpoint policy allows the ecr:GetAuthorizationToken action However the ecr:GetAuthorizationToken is in the policy of the endpoints:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
],
"Resource": [
"arn:aws:ecr:eu-west-1:289334807197:repository/*"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::5***************0:root",
"arn:aws:iam::1***************3:root",
"arn:aws:iam::2***************7:root"
]
}
}
]
}
I've tried to add the SG for the Fargate cluster to the VPC Endpoints... Still no luck... I'm out of ideas fot the moment... So... Anyone?
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago