我正试图从一个Pipeline帐户构建一个docker映像,并将其推送到另一个帐户(Dev(的ECR中。
虽然我能够在同一个帐户(管道(内从代码构建到ECR回购的docker推送,但对于外部AWS帐户ECR,我很难做到这一点。
Dev账户上附于ECR回购的政策:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<pipelineAccountID>:role/service-role/<codebuildRole>"
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
在我的管道帐户上,运行构建项目的服务角色与上面策略上的ARN匹配,我的构建规范包含以下推送图像的片段:
- $(aws ecr get-login --no-include-email --region us-east-1 --registry-ids <DevAccount>)
- docker tag <imageName>:latest $ECR_REPO_DEV:latest
- docker push $ECR_REPO_DEV:latest
Codebuild能够成功登录ECR,但当它试图实际推送图像时,我得到:
*denied: User: arn:aws:sts::<pipelineAccountID>:assumed-role/<codebuildRole>/AWSCodeBuild-413cfca0-133a-4f37-b505-a94668201e26 is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:<DevAccount>:repository/<repo>*
此外,我已经着手确保角色(驻留在代码管道帐户上(的IAM策略具有此回购的权限:
{
"Sid": "CrossAccountRepo",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "arn:aws:ecr:us-east-1:<DevAccount>:repository/sg-api"
}
我现在不知道我会错过什么。唯一想到的是让构建运行时有一个跨帐户角色,但我甚至不确定这是否可能。我的目标是将构建管道与dev.帐户分离,因为我听说这是最佳实践。
建议?
提前谢谢。
根据我对此的理解和上面的错误消息,最常见的原因是ECR存储库没有允许CodeBuild IAM角色访问它的策略。
请在ECR回购上设置此策略:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPush",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<dev acount>:root"
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
- 参考:https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html#IAM_allow_other_accounts
请在CodeBuild服务角色上添加此策略:
{
"Sid": "CrossAccountRepo",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}