Elastic Beanstalk:从私有存储库部署多容器 Docker 环境的 IAM 策略

tag-icon tag-icon docker amazon-s3 elastic-beanstalk
Elastic Beanstalk:从私有存储库部署多容器 Docker 环境的 IAM 策略

如何使 Elastic Beanstalk 下的环境能够与 S3 通信,以便它可以获取身份验证信息,然后从多容器环境中的私有存储库中提取我的 Docker 映像?

我在我的环境实例配置中找到了 IAM 角色的名称(“aws-elasticbeanstalk-ec2-role”),转到 IAM,打开“AWSElasticBeanstalkWebTier”策略,以便将其扩展为对我的存储桶的 ARN 的 S3 访问,但这些策略是“AWS 管理的”和只读的。我尝试仅将现有的 S3 策略(例如 AWS 定义的 AmazonS3ReadOnlyAccess)附加到我的实例配置文件角色,但部署失败,日志仍然抱怨无法访问私有存储库:

2018-01-10T02:56:10Z + local 'CONTAINER_STOPPED_REASONS=nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access'
2018-01-10T02:56:10Z + '[' -n 'Essential container in task exited' ']'
2018-01-10T02:56:10Z + error 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)'
2018-01-10T02:56:10Z + echo 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)'
2018-01-10T02:56:10Z ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)
2018-01-10T02:56:10Z + eventHelper.py --msg 'ECS task stopped due to: Essential container in task exited. (nomad-service-identity: CannotPullContainerError: API error (404): repository dsoprea/nomad not found: does not exist or no pull access)' --severity ERROR
2018-01-10T02:56:10Z + set -e

没有提到尝试访问身份验证文件,但我不知道是否希望它记录这一点。

配置看起来正确吗?

{
  "AWSEBDockerrunVersion": 2,
  "volumes": [
  ],
  "containerDefinitions": [
    {
      "name": "nomad-service-identity",
      "image": "dsoprea/nomad:identity-1",
      "essential": true,
      "memory": 128,
      "portMappings": [
        {
          "hostPort": 80,
          "containerPort": 80
        }
      ],
      "entryPoint": ["/nomad/nomad_identity_service"],
      "links": [
      ],
      "mountPoints": [
      ],

      "authentication": {
        "bucket": "nomad-docker",
        "key": "dockerconfig.json"
      }

    }
  ]
}

答案1

您需要将读取注册表的正确权限附加到该 EB 角色。如果存储库是 ECR,则要添加的权限将是:

arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly

相关内容