小贝子编程

AWS Beanstalk GHCR



我有一个Docker镜像托管在GitHub容器存储库(GHCR),我正试图将其部署到AWS Beanstalk。我已经看了他们的几个指南和文档,但是我的部署似乎仍然不起作用。

我使用docker登录创建了一个.dockercfg文件,如GitHub文档和AWS文档中所述。这给了我如下所示的.dockercfg

{
"auths": {
"ghcr.io": {
"auth": "..."
}
}
}

然后我将这个.dockercfg文件上传到AWS S3桶中,并创建了一个访问角色,允许读取该文件。

(我已将我的beanstalk环境的服务角色设置为这个新创建的S3访问角色)

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxxx/.dockercfg"
}
]
}

这样做之后,我创建了一个Dockerrun.aws.json文件来从GHCR获取Docker映像并在Beanstalk上运行。

{
"AWSEBDockerrunVersion": "1",
"Image": {
"Name": "ghcr.io/xxxx/xxxx:latest",
"Update": "true"
},
"Authentication": {
"Bucket": "xxxxx",
"Key": ".dockercfg"
},
"Ports": [
{
"ContainerPort": "8000"
}
]
}

但是,在部署应用程序时,AWS表示验证失败,无法下载映像。我在eb-engine.log文件

中得到以下日志
2022/12/07 21:53:55.683691 [INFO] start build docker app
2022/12/07 21:53:55.683730 [INFO] generate dockerfile with the image and ports from Dockerrun.aws.json
2022/12/07 21:53:55.683735 [INFO] fetching image and ports
2022/12/07 21:53:55.685173 [INFO] fetching image names from Dockerfile /var/app/staging/Dockerfile
2022/12/07 21:53:55.685259 [INFO] found images [ghcr.io/xxxx/xxx:latest] in Dockerfile /var/app/staging/Dockerfile
2022/12/07 21:53:55.685274 [INFO] download auth credentials for private repo
2022/12/07 21:53:55.685301 [INFO] Downloading: bucket: xxxx, object: /.dockercfg
2022/12/07 21:53:55.714223 [INFO] Download successful0bytes downloaded
2022/12/07 21:53:55.714248 [ERROR] An error occurred during execution of command [app-deploy] - [Docker Specific Build Application]. Stop running the command. Error: AccessDenied: Access Denied
status code: 403, request id: xxxx, host id: xxxx
2022/12/07 21:53:55.714253 [INFO] Executing cleanup logic
2022/12/07 21:53:55.714350 [INFO] CommandService Response: {"status":"FAILURE","api_version":"1.0","results":[{"status":"FAILURE","msg":"Engine execution has encountered an error.","returncode":1,"events":[{"msg":"Instance deployment failed. For details, see 'eb-engine.log'.","timestamp":1670450035714,"severity":"ERROR"}]}]}

我认为这意味着Beanstalk在从S3获取文件时遇到了麻烦,但我似乎无法确定是哪个部分出错了。

尽管没有帮助的"下载成功";消息,这里的错误实际上是一个IAM权限错误。

我给s3桶策略添加了以下权限:

{
"Sid": "...",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxx:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::xxxx",
]
},

这里也有类似的问题和解决方案。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium