AWS ECS Fargate从跨账户ECR存储库提取图像 [英] AWS ECS Fargate pull image from a cross account ECR repo

问题描述

我有2个AWS账户: -具有ECR回购的帐户A. -具有运行Fargate的ECS群集的帐户b.

I have 2 AWS accounts: - account A that has an ECR repo. - account b that has an ECS cluster running Fargate.

我在具有对账户B信任关系的账户A中创建了一个跨账户"角色，并且我已经将"AmazonEC2ContainerRegistryPowerUser"策略附加到了该角色.

I have created a "cross-account" role in account A with trust relations to account B, also I have attached the "AmazonEC2ContainerRegistryPowerUser" policy to this role.

通过在存储库策略中添加帐户B的ID和跨帐户"角色，我可以访问帐户A中的ECR存储库.

I gave access to the ECR repository in account A by adding account B's id and the "cross-account" role to the repository policy.

我将策略附加到Fargate的"TaskExecutionRole"上，使Fargate可以承担跨帐户"角色.

I attached a policy to the fargate "TaskExecutionRole" allowing fargate to assume the "cross-account" role.

当尝试通过引用帐户A中的图像在帐户B中部署Fargate任务时，出现500错误.

When trying to deploy a Fargate task in account B with a reference to an image in account A I'm getting a 500 error.

推荐答案

Fargate不会自动承担跨帐户角色.幸运的是，您无需在另一个帐户中扮演角色即可从该帐户的ECR存储库中提取图像.

Fargate will not automatically assume a cross-account role. Fortunately, you do not need to assume a role in another account in order to pull images from that account's ECR repository.

要启用跨帐户访问ECR中的图像，请在帐户A的存储库中添加对帐户B的访问权限(通过设置

To enable cross-account access to an image in ECR, add access for account B in account A's repository (by setting the repository policy), and then specify a TaskExecutionRole in account B that has permissions to pull from ECR ("ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability").

例如，在帐户A的存储库中设置存储库策略，如下所示:

For example, set a repository policy on the repository in account A like the following:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "AllowCrossAccountPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
      },
      "Action": [
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage"
      ]
    }
  ]
}

然后，将帐户B中的TaskExecutionRole设置为具有以下策略:

Then, set your TaskExecutionRole in account B to have a policy like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}

或者，您可以使用托管策略 AmazonECSTaskExecutionRolePolicy 而不是定义您自己的TaskExecutionRole.

Alternately, you can use the managed policy AmazonECSTaskExecutionRolePolicy for your TaskExecutionRole instead of defining your own.

这篇关于AWS ECS Fargate从跨账户ECR存储库提取图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！