我已经为 EC2 实例创建了一个 IAM 角色,该角色拥有验证和拉取 AWS ECR 映像所需的所有权限,但每次我尝试进行身份验证时,都会显示以下错误:
“调用 GetAuthorizationToken 操作时发生错误 (AccessDeniedException):用户:arn:aws:sts::1224**:assumed-role/deshtestrole11/i-0462b0f*4 无权执行:资源上的 ecr:GetAuthorizationToken:* 因为没有基于身份的策略允许 ecr:GetAuthorizationToken 操作"
这是我的 IAM 政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"iam:PassRole"
],
"Resource": "arn:aws:ecr:us-east-1:12243*****:repository/d***testecr"
}
]
}
由于我允许“ecr:GetAuthorizationToken”操作,可能会出现什么问题。
ecr:GetAuthorizationToken
是一项全局操作,需要访问所有 ECR 资源(而不是特定存储库)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"iam:PassRole"
],
"Resource": "arn:aws:ecr:us-east-1:12243*****:repository/d***testecr"
},
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
]
}
此更改将能够验证
AWS ECR
实例上的 EC2
存储库