如何使用IAM角色权限让Docker Swarm管理器从AWS ECR中提取图像? [英] How do I get a Docker Swarm manager to pull images from AWS ECR using IAM Role permissions?
问题描述
我无法从运行Docker Swarm的AWS ECR提取图像.多年来一切正常,但我的swarm manager节点已更改为新的EC2实例.现在我的服务无法部署:
I'm having trouble pulling images from AWS ECR, running Docker Swarm. It's been working ok for years, but my swarm manager nodes were changed to new EC2 instances. Now my services fail to deploy:
~ $ docker stack deploy -c dkr_compose_geo_site:3.2.0 --with-registry-auth geo_stack
管理者节点日志显示没有基本身份验证凭据":
The manager node log shows "no basic auth credentials":
May 19 21:21:12 ip-172-31-3-108 root: time="2020-05-19T21:21:12.857007050Z" level=error msg="pulling image failed" error="Get https://445523.dkr.ecr.us-west-2.amazonaws.com/v2/geo_site/manifests/sha256:da5820742cd0ecd52e3a2c61179a039ce80996564604b70465e3966087380a09: no basic auth credentials" module=node/agent/taskmanager node.id=eix8c6orbunemismg03ib1rih service.id=smilb788pets7y5rgbu3aze9l task.id=zd3ozdpr9exphwlz318pa9lpe
May 19 21:21:12 ip-172-31-3-108 root: time="2020-05-19T21:21:12.857701347Z" level=error msg="fatal task error" error="No such image: 445523.dkr.ecr.us-west-2.amazonaws.com/geo_site@sha256:da5820742cd0ecd52e3a2c61179a039ce80996564604b70465e3966087380a09" module=node/agent/taskmanager node.id=eix8c6orbunemismg03ib1rih service.id=smilb788pets7y5rgbu3aze9l task.id=zd3ozdpr9exphwlz318pa9lpe
此管理器节点正在具有IAM角色的EC2实例上运行;IAM角色的ECR策略似乎可以授予权限:
This manager node is running on an EC2 Instance with an IAM Role; the IAM Role has an ECR policy that appears to grant permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
通过阅读AWS/Docker文档,我认为在管理器节点上运行的docker命令应采用实例IAM角色,并使用关联的策略权限访问ECR存储库.似乎总是这样工作,但是现在看来,旧的管理器节点上可能已经隐藏了一些配置文件.我在一个新实例上,它不起作用.我不在这些管理器节点上运行AWS-CLI,因此没有 aws ecr get-login 可以手动登录.如何使这个新的Manager节点通过ECR进行身份验证?
From reading the AWS/Docker docs, I thought docker commands run on a manager node should adopt the Instance IAM Role and access the ECR repo using the associated policy permissions. It's always seemed to work that way, but now it's looking like there might have been some config file hidden on the old manager node; I'm on a new instance and it doesn't work. I don't run an AWS-CLI on these manager nodes, so there's no aws ecr get-login to login manually. How do I get this new manager node to authenticate with ECR?
谢谢!
推荐答案
我的解决方案,基于Luigi Lopez和 amazon-ecr-credential-helper :
My solution, based on comment by Luigi Lopez and amazon-ecr-credential-helper:
AWS IAM角色允许进行身份验证,但正如Luigi在其评论中指出的那样,docker cli仍必须向ECR提供凭据.
The AWS IAM Role allows authentication, but the docker cli must still present credentials to the ECR, as Luigi pointed out in his comment.
这是Docker Swarm实施,其节点运行Alpine OS.有一个 aws-cli 软件包可用于Alpine,但是安装过程引起了很多麻烦,最终二进制文件还是崩溃了.
This is a Docker Swarm implementation, with nodes running the Alpine OS. There is an aws-cli package available for Alpine, but the installation took a lot of fussing around and in the end the binary crashed anyway.
在任何情况下,Amazon ECR凭证助手都是一个更好的长期解决方案,因为您不需要每12小时获取新令牌或设置代理服务器等.它使用建议的IAM角色身份验证,而无需凭据存储在计算机上或泄漏到日志文件中.
The Amazon ECR Credential Helper is a better long-term solution in any case because you don't need to get new tokens every 12 hours or set up a proxy server, etc. It uses the recommended IAM Role authentication, with no credentials stored on the machine or leaking into log files.
因此在Alpine下,我按照上面的链接中的说明从源进行构建.我安装了go,git和make,然后按照说明构建了凭据帮助器.我按照所述设置了PATH,创建了一个配置文件,然后我的部署工作了.不需要 docker登录.
So under Alpine I followed the instructions in the link above to build from sources.
I installed go, git, and make, and then built the credential-helper as described. I set up the PATH as described, created a config file, and then my deployment worked. There's no docker login required.
这篇关于如何使用IAM角色权限让Docker Swarm管理器从AWS ECR中提取图像?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
