当前位置: 文江博客话题详情

无法为 AWS ECR 创建策略

发布于 2025-01-15 23:03:10 字数 1183 浏览 0 评论 0原文 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/root"
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": [
                "xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
            ]
        }
    ]
}

我尝试使用的命令是:

aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json

如果我在 Linux 计算机中执行 ls ,我可以在运行此命令的同一文件夹中看到此 ecr-policy.json

我想授予我自己访问权限。

我总是收到错误:

调用 SetRepositoryPolicy 操作时发生错误 (InvalidParameterException):“PolicyText”处的无效参数无法满足约束:“提供的存储库策略无效”

我检查了我的 AWS ARN,它以 root 结尾。

原文 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/root"
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": [
                "xxx.dkr.ecr.us-west-2.amazonaws.com/yyy"
            ]
        }
    ]
}

Command I try to use is:

aws ecr set-repository-policy --repository-name yyy --policy-text file://ecr-policy.json

If I do ls in my linux machine I can see this ecr-policy.json in same folder where I run this command.

I want to grant access to myself.

I am always getting error:

An error occurred (InvalidParameterException) when calling the SetRepositoryPolicy operation: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided'

I checked my AWS ARN and it ends with root.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

月依秋水 2025-01-22 23:03:10

我想向自己授予访问权限。

您不需要资源部分,因为此语句将附加到特定存储库。尝试在 Console > 添加以下语句: ECR> 存储库 > [在Images表上选择一个存储库]> 权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account #>:user/<your IAM user name>",
                    "arn:aws:iam::<account #>:root"
                ]
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

注意:替换<帐户#>使用您的 AWS 账户 ID。

i want to grant access to myself.

You don't need a resource section because this statement will be attached to a specific repository. Try add the following statement at Console > ECR > Repositories > [Select a repo on the Images table] > Permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account #>:user/<your IAM user name>",
                    "arn:aws:iam::<account #>:root"
                ]
            },
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

NOTE: Replace <account #> with your AWS account ID.

回复 原文
但可醉心 2025-01-22 23:03:10

删除策略 json 文件中的 Resource

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/root"
            },
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchDeleteImage",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

或者您可以在 AWS 控制台上设置

  1. 转到 Amazon ECR >存储库
  2. 创建存储库
  3. 单击您创建的存储库
  4. 并转到权限 选项卡
  5. 编辑权限 ->输入上面的json文件

在此处输入图像描述

Remove Resource in Policy json file

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account_id>:user/root"
            },
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchDeleteImage",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ]
        }
    ]
}

Or you can set on AWS Console

  1. Go to Amazon ECR > Repositories
  2. Create Repository
  3. Click what your create Repository
  4. and go to permissions tab
  5. Edit permissions -> Input the above json file

enter image description here

回复 原文
心碎无痕… 2025-01-22 23:03:10

尝试以下格式的资源:

arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}

https://docs。 aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html

try resource in a format:

arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}

https://docs.aws.amazon.com/AmazonECR/latest/userguide/security_iam_service-with-iam.html

回复 原文
~没有更多了~

关于作者

半窗疏影

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

峩卟喜欢

文章 0 评论 0

一向肩并

文章 0 评论 0

潜伏

文章 0 评论 0

dongyinghao

文章 0 评论 0

百变从容

文章 0 评论 0

沧笙踏歌

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文