AWS ECS Fargate从跨账户ECR存储库提取图像 [英] AWS ECS Fargate pull image from a cross account ECR repo
问题描述
我有2个AWS账户: -具有ECR回购的帐户A. -具有运行Fargate的ECS群集的帐户b.
I have 2 AWS accounts: - account A that has an ECR repo. - account b that has an ECS cluster running Fargate.
我在具有对账户B信任关系的账户A中创建了一个跨账户"角色,并且我已经将"AmazonEC2ContainerRegistryPowerUser"策略附加到了该角色.
I have created a "cross-account" role in account A with trust relations to account B, also I have attached the "AmazonEC2ContainerRegistryPowerUser" policy to this role.
通过在存储库策略中添加帐户B的ID和跨帐户"角色,我可以访问帐户A中的ECR存储库.
I gave access to the ECR repository in account A by adding account B's id and the "cross-account" role to the repository policy.
我将策略附加到Fargate的"TaskExecutionRole"上,使Fargate可以承担跨帐户"角色.
I attached a policy to the fargate "TaskExecutionRole" allowing fargate to assume the "cross-account" role.
当尝试通过引用帐户A中的图像在帐户B中部署Fargate任务时,出现500错误.
When trying to deploy a Fargate task in account B with a reference to an image in account A I'm getting a 500 error.
推荐答案
Fargate不会自动承担跨帐户角色.幸运的是,您无需在另一个帐户中扮演角色即可从该帐户的ECR存储库中提取图像.
Fargate will not automatically assume a cross-account role. Fortunately, you do not need to assume a role in another account in order to pull images from that account's ECR repository.
要启用跨帐户访问ECR中的图像,请在帐户A的存储库中添加对帐户B的访问权限(通过设置
To enable cross-account access to an image in ECR, add access for account B in account A's repository (by setting the repository policy), and then specify a TaskExecutionRole in account B that has permissions to pull from ECR ("ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:BatchCheckLayerAvailability").
例如,在帐户A的存储库中设置存储库策略,如下所示:
For example, set a repository policy on the repository in account A like the following:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_B_ID:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage"
]
}
]
}
然后,将帐户B中的TaskExecutionRole设置为具有以下策略:
Then, set your TaskExecutionRole in account B to have a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
}
]
}
或者,您可以使用托管策略 AmazonECSTaskExecutionRolePolicy
而不是定义您自己的TaskExecutionRole.
Alternately, you can use the managed policy AmazonECSTaskExecutionRolePolicy
for your TaskExecutionRole instead of defining your own.
这篇关于AWS ECS Fargate从跨账户ECR存储库提取图像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!