如何使 Elastic Beanstalk 下的环境能够与 S3 通信,以便它可以获取身份验证信息,然后从多容器环境中的私有存储库中提取我的 Docker 映像?
我在我的环境实例配置中找到了 IAM 角色的名称(“aws-elasticbeanstalk-ec2-role”),转到 IAM,打开“AWSElasticBeanstalkWebTier”策略,以便将其扩展为对我的存储桶的 ARN 的 S3 访问,但这些策略是“AWS 管理的”和只读的。我尝试仅将现有的 S3 策略(例如 AWS 定义的 AmazonS3ReadOnlyAccess)附加到我的实例配置文件角色,但部署失败,日志仍然抱怨无法访问私有存储库:
2018-01-10T02:56:10Z + local 'CONTAINER_STOPPED_REASONS=nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access'
2018-01-10T02:56:10Z + '[' -n 'Essential container in task exited' ']'
2018-01-10T02:56:10Z + error 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)'
2018-01-10T02:56:10Z + echo 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)'
2018-01-10T02:56:10Z ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)
2018-01-10T02:56:10Z + eventHelper.py --msg 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)' --severity ERROR
2018-01-10T02:56:10Z + set -e
没有提到尝试访问身份验证文件,但我不知道是否希望它记录这一点。
配置看起来正确吗?
{
"AWSEBDockerrunVersion": 2,
"volumes": [
],
"containerDefinitions": [
{
"name": "nomad-service-identity",
"image": "dsoprea/nomad:identity-1",
"essential": true,
"memory": 128,
"portMappings": [
{
"hostPort": 80,
"containerPort": 80
}
],
"entryPoint": ["/nomad/nomad_identity_service"],
"links": [
],
"mountPoints": [
],
"authentication": {
"bucket": "nomad-docker",
"key": "dockerconfig.json"
}
}
]
}
答案1
您需要将读取注册表的正确权限附加到该 EB 角色。如果存储库是 ECR,则要添加的权限将是:
arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly