如何在AWS ECR中使用push_role推动帐户
我想念什么?不管我尝试哪种语法,推向AWS ECR总是在主 /管理AWS帐户中降落。在AWS控制台中,我可以以适当的角色切换到该帐户。使用Terraform我可以设置paber_role.role_arn属性,以在正确的帐户中创建资源。但是,Docker和AWS CLI似乎没有配置或语法似乎有效。我显然缺少一个步骤,属性或全局选项。
如果我走Terraform路线,我可以做任何需要的事情。因此,我知道应该工作...
provider "aws" {
region = "us-gov-west-1"
shared_credentials_file = "~/.aws/credentials"
profile = "govcloud"
assume_role {
role_arn = "arn:aws-us-gov:iam::123456789012:role/Build_Administrator"
}
}
但是,我不想将Terraform用于将ECR推向ECR的简单任务。
不起作用...
[govcloud]
region = us-gov-west-1
output = json
[govcloud-assume]
region = us-gov-west-1
output = json
role_arn=arn:aws-us-gov:iam::123456789012:role/Build_Administrator
我已经尝试在cole> cole_arn属性中〜/.aws/config和 在任何其他情况下都 ,调用get-login-password/create-repository将利用当前配置的密钥,并将操纵配置的帐户...
aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-gov-west-1.amazonaws.com
aws ecr create-repository --repository-name "complexapi" --image-tag-mutability MUTABLE
感觉好像应该有某种类型的类型设置目标帐户或cool_arn的全局选项,但是没有组合工作...
aws ecr get-login-password --profile govcloud-assume --region us-gov-west-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-gov-west-1.amazonaws.com
aws ecr create-repository --profile govcloud-assume --region us-gov-west-1 --repository-name "complexapi" --image-tag-mutability MUTABLE
更新1:
感觉就像我越来越近。设置访问密钥后,我可以成功调用aws sts pabil-pol-lole并返回凭据对象。只是不知道该怎么办。
更新2:
STS浪费时间,送我走了错误的道路。不要去那里。它不需要,将为AWS CLI污染您当地的验证环境。
What am I missing? Regardless of what syntax I try, pushing to AWS ECR always lands in the main / management AWS account. In the AWS console I can switch into that account with the appropriate role. Using Terraform I can set the assume_role.role_arn property to create resources in the correct account. However, no config or syntax for Docker and the AWS CLI seems to work. I'm clearly missing a step, property, or global option.
If I go the Terraform route, I can do anything I need. So, I know it should work ...
provider "aws" {
region = "us-gov-west-1"
shared_credentials_file = "~/.aws/credentials"
profile = "govcloud"
assume_role {
role_arn = "arn:aws-us-gov:iam::123456789012:role/Build_Administrator"
}
}
However, I would rather NOT use Terraform for such a simple task as pushing to ECR.
I've tried using the role_arn property in the ~/.aws/config and that doesn't work...
[govcloud]
region = us-gov-west-1
output = json
[govcloud-assume]
region = us-gov-west-1
output = json
role_arn=arn:aws-us-gov:iam::123456789012:role/Build_Administrator
In any other scenario, calling get-login-password / create-repository will leverage the current configured keys and will manipulate the configured account...
aws ecr get-login-password | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-gov-west-1.amazonaws.com
aws ecr create-repository --repository-name "complexapi" --image-tag-mutability MUTABLE
It feels as if there should be some type of global option to set the target account or role_arn, however no combination works...
aws ecr get-login-password --profile govcloud-assume --region us-gov-west-1 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-gov-west-1.amazonaws.com
aws ecr create-repository --profile govcloud-assume --region us-gov-west-1 --repository-name "complexapi" --image-tag-mutability MUTABLE
Update 1:
Feels like I'm getting closer. After setting the access key I can successfully call aws sts assume-role and return a Credentials object. Just don't know what to do with it yet.
Update 2:
STS was a waste of time and sent me down the wrong path. Don't go there. It's not needed and will pollute your local auth environment for the AWS CLI.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
要使用ECR使用AWS CLI的角色,您必须在脚本中使用
- 配置文件属性,并构建〜/.aws/config二属性在一起:roun_arn和source_profile〜/.aws/config要求 acter ase 以及您希望与之合作的子帐户。此子帐户包含您希望在ARNcole_arn属性中保留ARN的角色。子帐户的配置文件是您将在脚本中引用的内容,但是配置还必须指向source_profile它将维护实际凭据:您的
〜/.aws/recertentials < /code>文件然后包含主帐户的键:一旦到位,您的命令将引用包含您要假定的角色(目标帐户)的配置文件,并且在需要时,您使用该帐户ID。在
get-login-password命令的示例中,AWC CLI通过sub-account的名称传递了- 配置文件属性。 Docker将从AWS CLI接收产生的密码,并按数字直接引用子帐户。例如,以下是在子帐户中创建AWS ECR存储库的命令(请注意,同时使用了子帐户ID以及该帐户配置文件的名称):
...以及按下图像所需的命令使用
最新标签和一个正确的版本编号进入子账户的注册表中:To assume a role using the AWS CLI with ECR, you must use the
--profileproperty within your scripts and structure the~/.aws/configwith two properties together:role_arnandsource_profileThe
~/.aws/configrequires both the main account and the sub-account you wish to work with. This sub-account contains the role you wish to assume with the ARN is maintained in itsrole_arnproperty. The profile of the sub-account is what you will reference in your scripts however the config must also point back to thesource_profilewhich will maintain the actual credentials:Your
~/.aws/credentialsfile then contains the keys for the main account:Once in place, your commands will reference the profile containing the role you wish to assume (the target account) and, where needed, you use that account ID. In the example of the
get-login-passwordcommand, the AWC CLI is passed the--profileproperty using the name of the sub-account. Docker will receive the resulting password from the AWS CLI and directly reference the sub-account by number.For example, here are the commands to create the AWS ECR repository in the sub-account (note both the sub-account ID is used as well as the name of that account's profile):
... and the commands needed to push an image into the sub-account's registry with both the
latesttag and a proper version number: