未授权执行: ecr:GetAuthorizationToken对资源:*因为没有基于身份的策略允许ecr:GetAuthorizationToken
未授权执行: ecr:GetAuthorizationToken对资源:*因为没有基于身份的策略允许ecr:GetAuthorizationToken
提问于 2022-07-23 14:13:13
我是Terraform的新手,我正在尝试从AWS ECR部署一个Docker映像到ECS。但是,我得到了以下错误。有人能帮忙解决这个问题吗?
ResourceInitializationError: unable to pull secrets or registry auth:
execution resource retrieval failed: unable to retrieve ecr registry
auth: service call has been retried 1 time(s):
AccessDeniedException: User: arn:aws:sts::AccountID:assumed-role/ecsExecution-1/25d077c2af604f4e93feead72a141e3g is not authorized to perform:
ecr:GetAuthorizationToken on resource: *
because no identity-based policy allows the
ecr:GetAuthorizationToken action
status code: 400, request id: 1a1bee4c-5ab6-4b44-bbf8-5586edea6b3g*这是我的密码
resource "aws_ecs_cluster" "first-cluster" {
name = "test-docker-deploy"
}
resource "aws_ecs_task_definition" "first-task" {
family = "first-task"
container_definitions = <<TASK_DEFINITION
[
{
"name": "first-task",
"image": "899696473236.dkr.ecr.us-east-1.amazonaws.com/first-repo:nginx-demo",
"cpu": 256,
"memory": 512,
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80
}
]
}
]
TASK_DEFINITION
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = 256
memory = 512
execution_role_arn = "${aws_iam_role.Execution_Role.arn}"
}
resource "aws_iam_role" "Execution_Role" {
name = "ecsExecution-1"
assume_role_policy = "${data.aws_iam_policy_document.role_policy.json}"
}
data "aws_iam_policy_document" "role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_ecs_service" "first-service"{
name = "docker-service"
cluster = "${aws_ecs_cluster.first-cluster.id}"
task_definition = "${aws_ecs_task_definition.first-task.arn}"
launch_type = "FARGATE"
desired_count = 1
network_configuration {
subnets = ["${aws_default_subnet.subnet-a.id}"]
assign_public_ip = true
}
}
resource "aws_default_vpc" "default" {
}
resource "aws_default_subnet" "subnet-a" {
availability_zone = "us-east-1a"
}回答 1
Stack Overflow用户
发布于 2022-07-23 16:53:28
除了具有假定角色策略(即权限或信任策略)外,还需要执行策略1。前者表示允许ECS任务在后台承担该角色,后者则表示ECS任务在承担该角色时可以完成哪些任务。因此,权限策略是正确的,但是您需要以下代码才能工作(即ecs_task_policy):
data "aws_iam_policy_document" "ecs_task_policy" {
statement {
sid = "EcsTaskPolicy"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
resources = [
"*" # you could limit this to only the ECR repo you want
]
}
statement {
actions = [
"ecr:GetAuthorizationToken"
]
resources = [
"*"
]
}
statement {
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = [
"*"
]
}
}
resource "aws_iam_role" "Execution_Role" {
name = "ecsExecution-1"
assume_role_policy = data.aws_iam_policy_document.role_policy.json
inline_policy {
name = "EcsTaskExecutionPolicy"
policy = data.aws_iam_policy_document.ecs_task_policy.json
}
}
data "aws_iam_policy_document" "role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}还请注意,根据用于任务的Docker映像中的内容,可能需要向执行策略添加更多AWS权限。ECR回购访问权限可以限制在Docker映像所在的ECR回购的ARN上。理论上,此时可能不需要日志权限,但如果您希望查看是否存在任何错误,则需要将日志发送到某个地方。如果需要,还必须将logConfiguration部分添加到任务定义中。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73091453
复制相关文章
相似问题
腾讯云开发者
