基于 AWS ECR 标签的访问控制

tag-icon tag-icon amazon-web-services amazon-ec2 docker aws-cli amazon-ecr
基于 AWS ECR 标签的访问控制 
$ docker pull {ACCOUNT-ID}.dkr.ecr.{region}.amazonaws.com/{repository-name}:ecr
Error response from daemon: pull access denied for {ACCOUNT-ID}.dkr.ecr.ap-south-1.amazonaws.com/{repository-name}, repository does not exist or may require 'docker login': denied: User: arn:aws:iam::{ACCOUNT-ID}:user/pull-user is not authorized to perform: ecr:BatchGetImage on resource: arn:aws:ecr:{region}:{ACCOUNT-ID}:repository/{repository-name}because no identity-based policy allows the ecr:BatchGetImage action

当我删除标签时,它会拉出我想要拉的任何标签,我正在制作一个基于标签的访问控制,仅用于拉动

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:DescribeRepositories",
                "ecr:DescribeImages",
                "ecr:ListImages",
                "ecr:GetRepositoryPolicy",
                "ecr:GetAuthorizationToken"
            ],
            "Resource": [
                "arn:aws:ecr:{region}:{ACCOUNT-ID}:repository/legacy:ecr"
            ]
        }
    ]
}

相关内容