我试图让帐户A中的CodeBuild将图像推送到帐户B的ECR,但我遇到了权限问题。
我在账户B中有以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:*"
],
"Effect": "Allow",
"Resource": "*"
}]}
以及账户B中的角色ecrManager,附带此类策略,以及以下信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountA:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}]}
我在账户A中有CodeBuild使用的角色,并有以下策略:
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::accountB:role/ecrManager"
},
但是当我运行代码Build时,我在CloudTrail中得到以下错误:
"errorMessage": "User: arn:aws:sts::accountA:assumed-role/CodeBuild-CodeBuildServiceRole-1RHFVAD5WW6J4/AWSCodeBuild-b7487523-7e3a-4219-bee7-08e6e40a3f21 is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:ca-central-1:accountB:repository/demo because no resource-based policy allows the ecr:InitiateLayerUpload action"
我在这里做错了什么?
谢谢!
基于资源的策略需要更新
来自
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountA:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}]}
至
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::[accountAID]:role/CodeBuild-CodeBuildServiceRole"
}
}
这是一个关于如何创建跨帐户访问角色的博客https://dev.to/kasukur/how-to-delegate-access-across-aws-accounts-using-iam-roles-43ej
你能试试这个吗?如果不管用,请告诉我。
所以问题是我没有在代码构建脚本中扮演这个角色。这个AWS教程很好地解释了它应该如何完成:
https://aws.amazon.com/premiumsupport/knowledge-center/codebuild-temporary-credentials-docker/