如何在 ECS(容器存储)上验证 AWS EBS(Beanstalk)? AccessDeniedException
Posted
技术标签:
【中文标题】如何在 ECS(容器存储)上验证 AWS EBS(Beanstalk)? AccessDeniedException【英文标题】:How to authenticate AWS EBS (Beanstalk) on ECS (Container Storage)? AccessDeniedException 【发布时间】:2021-02-15 20:15:52 【问题描述】:我是使用 AWS EBS 和 ECS 的新手,所以如果我提出一个对其他人来说可能很明显的问题,请原谅我。问题:
我在同一个 AWS 云区域中配置了 EBS 和 ECS。我已经推送了我的容器,并且可以在 ECS 中看到图像。 EBS 环境已使用指向 ECS 的Dockerrun.aws.json 构建。在构建 EBS 期间,我收到以下错误:
2020/11/02 20:50:25.858567 [INFO] authenticate with ECR if the image is in an ECR repo
2020/11/02 20:50:25.858582 [INFO] Running command /bin/sh -c aws ecr get-login --no-include-email --registry-ids 731178912345 --region eu-west-1
2020/11/02 20:50:28.355911 [ERROR] An error occurred during execution of command [app-deploy] - [Docker Specific Build Application]. Stop running the command. Error: failed to authenticate with ECR for registry 731178912XXX in eu-west-1: Command /bin/sh -c aws ecr get-login --no-include-email --registry-ids 731178912XXX --region eu-west-1 failed with error exit status 255. Stderr:
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:sts::731178912XXX:assumed-role/aws-elasticbeanstalk-ec2-role/i-0bff9b5324348ea71 is not authorized to perform: ecr:GetAuthorizationToken on resource: *
我在某处读到该身份会自动传入以处理身份验证。我找不到任何有关如何解决该问题的指示。也许有人可以帮助我?
添加所讨论的权限后,我得到了这些:
2020/11/03 09:17:46.490399 [INFO] pull docker image if update is not false in Dockerrun.aws.json
2020/11/03 09:17:46.490431 [INFO] Running command /bin/sh -c docker pull 731178912XXX.dkr.ecr.eu-west-1.amazonaws.com/user/project:latest
2020/11/03 09:17:46.576648 [WARN] failed to execute command: docker pull 731178912XXX.dkr.ecr.eu-west-1.amazonaws.com/user/project:latest, retrying...
2020/11/03 09:17:46.576673 [INFO] Running command /bin/sh -c docker pull 731178912XXX.dkr.ecr.eu-west-1.amazonaws.com/user/project:latest
2020/11/03 09:17:46.659379 [ERROR] An error occurred during execution of command [app-deploy] - [Docker Specific Build Application]. Stop running the command. Error: failed to pull docker image: Command /bin/sh -c docker pull 731178912XXX.dkr.ecr.eu-west-1.amazonaws.com/user/project:latest failed with error exit status 1. Stderr:Error response from daemon: pull access denied for 731178912XXX.dkr.ecr.eu-west-1.amazonaws.com/user/project, repository does not exist or may require 'docker login': denied: User: arn:aws:sts::731178912XXX:assumed-role/aws-elasticbeanstalk-ec2-role/i-0aa453e0d44cdfa90 is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:eu-west-1:731178912XXX:repository/user/project
【问题讨论】:
【参考方案1】:您的aws-elasticbeanstalk-ec2-role 实例角色无权执行ecr:GetAuthorizationToken。
您可以通过将inline policy 添加到aws-elasticbeanstalk-ec2-role 角色来解决此问题:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
]
请注意,在此之后可能需要更多权限。你可以用同样的方法添加它们。
【讨论】:
感谢您的回复。我究竟会在哪里添加这个?在Dockerrun.aws.json 或其他地方?
@spekulatius 转到 IAM 控制台 -> 角色并搜索 aws-elasticbeanstalk-ec2-role。在那里你可以选择Add inline policy。
这使它向前移动了一点:我添加了权限并重建了环境。它仍然无法提取容器映像 - 这次出现不同的错误消息。关于@Marcin可能是什么原因的任何想法?
@spekulatius 正如我在答案中所写,您可能需要添加更多权限。这次:ecr:BatchGetImage。不知道需要多少。只需随时添加即可。
谢谢你,Marcin,查看日志,我发现又缺少一个权限。添加后它也起作用了!感谢您的帮助!以上是关于如何在 ECS(容器存储)上验证 AWS EBS(Beanstalk)? AccessDeniedException的主要内容,如果未能解决你的问题,请参考以下文章