AWS CodeBuild 由于权限问题无法拉取镜像。

huangapple go评论68阅读模式
英文:

AWS CodeBuild Unable to pull image due to permission issue

问题

以下是翻译好的部分:

The message on AWS CodeBuild is:
AWS CodeBuild上的消息是:

Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for .dkr.ecr.us-east-1.amazonaws.com/my-ecr, repository does not exist or may require 'docker login': denied: User: CodeBuild
无法拉取客户的容器镜像。CannotPullContainerError:来自守护程序的错误响应:无法拉取.dkr.ecr.us-east-1.amazonaws.com/my-ecr的访问权限被拒绝,存储库不存在或可能需要 'docker login':拒绝访问:用户:CodeBuild

I'm trying use a docker image to build and deploy some AWS lambdas. The code would work and has worked when IAM cooperates. I don't understand the message as I have no user "CodeBuild". I would have thought it would assume the service role I specified "arn:aws:iam:::role/service-role/codebuild-service-role".
我正在尝试使用Docker镜像构建和部署一些AWS Lambda函数。当IAM协作时,代码会工作,并且以前也有过。我不理解这条消息,因为我没有用户"CodeBuild"。我原以为它会采用我指定的服务角色"arn:aws:iam:::role/service-role/codebuild-service-role"。

My ECR is a private registry and I'm able to pull, build and deploy from it using the CLI under my users access key and after I do the docker login command given from AWS. The ECR registry .dkr.ecr.us-east-1.amazonaws.com/my-ecr does exist.
我的ECR是一个私有注册表,我可以使用CLI在我的用户访问密钥下从中拉取、构建和部署,并在执行AWS提供的docker login命令之后。ECR注册表.dkr.ecr.us-east-1.amazonaws.com/my-ecr确实存在。

When I gave everyone full access to my ECR using this policy:
当我使用以下策略为所有人提供对我的ECR的完全访问权限时:

{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowAllAccess",
"Effect": "Allow",
"Principal": "",
"Action": "
"
}
]
}
建筑工作得很完美。

However, when I try to restrict it as :
然而,当我尝试将其限制为:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCompleteReadAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::role/service-role/codebuild-service-role"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:BatchGetRepositoryScanningConfiguration",
"ecr:DescribeImageReplicationStatus",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImages",
"ecr:DescribePullThroughCacheRules",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRegistryPolicy",
"ecr:GetRegistryScanningConfiguration",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
]
}
]
}
不再起作用。

I'm still learning IAM. Grammatically, I thought the principal was the entity or thing being granted the access. However, it sometimes seems to refer to the thing that access will be granted. Think of this like nouns in a sentence. Bob gives Dave the ball. The principal could be Bob or it could be Dave. It's not clear which in these cases.
我仍在学习IAM。从语法上讲,我原以为主体是被授予权限的实体或事物。然而,有时它似乎指的是将被授予权限的事物。可以将其类比为句子中的名词。Bob将球给了Dave。主体可以是Bob,也可以是Dave。在这些情况下不太清楚。

I believe I can confidently say, both my ECR and my AWS CodeBuild project need permissions set. I cannot just give the CodeBuild project solely by changing the permission there. I need to also set it in the ECR.
我相信我可以自信地说,我的ECR和AWS CodeBuild项目都需要设置权限。我不能仅仅通过在那里更改权限来仅给予CodeBuild项目。我还需要在ECR中设置它。

What I do not know is how to refer to the CodeBuild project in the ECR policy statement, especially since it's using some undefined user CodeBuild that may or may not be assuming a role, but it doesn't say which one.
我不知道的是如何在ECR策略声明中引用CodeBuild项目,尤其是因为它正在使用一些未定义的用户CodeBuild,可能或可能没有承担角色,但没有说明是哪一个。

英文:

The message on AWS Code Build is:
Unable to pull customer's container image. CannotPullContainerError: Error response from daemon: pull access denied for <myacct>.dkr.ecr.us-east-1.amazonaws.com/my-ecr, repository does not exist or may require 'docker login': denied: User: CodeBuild

I'm trying use a docker image to build and deploy some AWS lambdas. The code would work and has worked when IAM cooperates. I don't understand the message as I have no user "CodeBuild". I would have thought it would assume the service role I specified "arn:aws:iam::<myacct>:role/service-role/codebuild-service-role".

My ECR is a private registry and I'm able to pull, build and deploy from it using the CLI under my users access key and after I do the docker login command given from AWS. The ECR registry <myacct>.dkr.ecr.us-east-1.amazonaws.com/my-ecr does exist.

When I gave everyone full access to my ECR using this policy:

{
  &quot;Version&quot;: &quot;2008-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Sid&quot;: &quot;AllowAllAccess&quot;,
      &quot;Effect&quot;: &quot;Allow&quot;,
      &quot;Principal&quot;: &quot;*&quot;,
      &quot;Action&quot;: &quot;*&quot;
    }
  ]
}

the build worked perfectly.

However, when I try to restrict it as :

{
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Sid&quot;: &quot;AllowCompleteReadAccess&quot;,
      &quot;Effect&quot;: &quot;Allow&quot;,
      &quot;Principal&quot;: {
        &quot;AWS&quot;: &quot;arn:aws:iam::&lt;myacct&gt;:role/service-role/codebuild-service-role&quot;
      },
      &quot;Action&quot;: [
        &quot;ecr:BatchCheckLayerAvailability&quot;,
        &quot;ecr:BatchGetImage&quot;,
        &quot;ecr:BatchGetRepositoryScanningConfiguration&quot;,
        &quot;ecr:DescribeImageReplicationStatus&quot;,
        &quot;ecr:DescribeImageScanFindings&quot;,
        &quot;ecr:DescribeImages&quot;,
        &quot;ecr:DescribePullThroughCacheRules&quot;,
        &quot;ecr:DescribeRepositories&quot;,
        &quot;ecr:GetAuthorizationToken&quot;,
        &quot;ecr:GetDownloadUrlForLayer&quot;,
        &quot;ecr:GetLifecyclePolicy&quot;,
        &quot;ecr:GetLifecyclePolicyPreview&quot;,
        &quot;ecr:GetRegistryPolicy&quot;,
        &quot;ecr:GetRegistryScanningConfiguration&quot;,
        &quot;ecr:GetRepositoryPolicy&quot;,
        &quot;ecr:ListImages&quot;
      ]
    }
  ]
}

it no longer works.

I'm still learning IAM. Grammatically, I thought the principal was the entity or thing being granted the access. However, it sometimes seems to refer to the thing that access will be granted. Think of this like nouns in a sentence. Bob gives Dave the ball. The principal could be Bob or it could be Dave. It's not clear which in these cases.

I believe I can confidently say, both my ECR and my AWS CodeBuild project need permissions set. I cannot just give the CodeBuild project solely by changing the permission there. I need to also set it in the ECR.

What I do not know is how to refer to the CodeBuild project in the ECR policy statement, especially since it's using some undefined user CodeBuild that may or may not be assuming a role, but it doesn't say which one.

答案1

得分: 2

尝试将此设置为您的主体:

 "主体":{
   "服务":"codebuild.amazonaws.com"
 },

来源

英文:

Try setting this as your principal:

 &quot;Principal&quot;:{
   &quot;Service&quot;:&quot;codebuild.amazonaws.com&quot;
 },

Source

huangapple
  • 本文由 发表于 2023年7月10日 12:57:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/76650760.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定