无法验证 EC2 实例上的 AWS ECR 存储库

问题描述 投票:0回答:1

我已经为 EC2 实例创建了一个 IAM 角色,该角色拥有验证和拉取 AWS ECR 映像所需的所有权限,但每次我尝试进行身份验证时,都会显示以下错误:

调用 GetAuthorizationToken 操作时发生错误 (AccessDeniedException):用户:arn:aws:sts::1224**:assumed-role/deshtestrole11/i-0462b0f*4 无权执行:资源上的 ecr:GetAuthorizationToken:* 因为没有基于身份的策略允许 ecr:GetAuthorizationToken 操作"

这是我的 IAM 政策:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:GetAuthorizationToken",
                "ecr:CompleteLayerUpload",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:ecr:us-east-1:12243*****:repository/d***testecr"
        }
    ]
}

由于我允许“ecr:GetAuthorizationToken”操作,可能会出现什么问题。

amazon-web-services amazon-ec2 amazon-iam amazon-ecr aws-iam-policy
1个回答
0
投票

ecr:GetAuthorizationToken
是一项全局操作,需要访问所有 ECR 资源(而不是特定存储库)

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:BatchGetImage",
                    "ecr:CompleteLayerUpload",
                    "ecr:InitiateLayerUpload",
                    "ecr:PutImage",
                    "ecr:UploadLayerPart",
                    "iam:PassRole"
                ],
                "Resource": "arn:aws:ecr:us-east-1:12243*****:repository/d***testecr"
            },
            {
                "Effect": "Allow",
                "Action": "ecr:GetAuthorizationToken",
                "Resource": "*"
            }
        ]
    }

此更改将能够验证 

AWS ECR
实例上的 
EC2
存储库

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.