如何在 ElasticBeanstalk Cloudformation 模板中为 IAM 用户提供对 ECR 的访问权限？答案

【问题标题】：How to provision access to ECR for IAM user in ElasticBeanstalk Cloudformation template?如何在 ElasticBeanstalk Cloudformation 模板中为 IAM 用户提供对 ECR 的访问权限？
【发布时间】：2021-09-12 05:26:00
【问题描述】：

我有如下弹性豆茎模板。我正在使用多容器泊坞窗。所以我将我的图像单独推送到 ECR。在Dockerrun.json 中，我将我的图像称为"image": "*****.dkr.ecr.ap-south-1.amazonaws.com/******:latest"。通过使用这个 CF 模板，我可以使用多容器创建 ELB。但是在部署我的Dockerrun.json 时，由于我的图像被拒绝许可而失败。所以我将Type: AWS::ECR::Repository 添加到我的云层中。我的CF 中已经有MyInstanceProfile。这里我想给MyInstanceProfile添加ECR权限。那么如何将 ECR 权限分配给 ElasticbeanStalk 云形成模板呢？

Resources:
  sampleApplication:
    Type: AWS::ElasticBeanstalk::Application
    Properties:
      Description: AWS Elastic Beanstalk Sample Application
  sampleApplicationVersion:
    Type: AWS::ElasticBeanstalk::ApplicationVersion
    Properties:
      ApplicationName:
        Ref: sampleApplication
      Description: AWS ElasticBeanstalk Sample Application Version
      SourceBundle:
        S3Bucket: !Sub "elasticbeanstalk-ap-south-1-182107200133"
        S3Key: TravelTouch/Dockerrun.aws.json
  MyRepository:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowPushPull
            Effect: Allow
            Principal:
              AWS:
               /*
                Here how to assign permission to MyInstanceProfile
               */
            Action:
              - "ecr:GetDownloadUrlForLayer"
              - "ecr:BatchGetImage"
              - "ecr:BatchCheckLayerAvailability"
              - "ecr:PutImage"
              - "ecr:InitiateLayerUpload"
              - "ecr:UploadLayerPart"
              - "ecr:CompleteLayerUpload"
  sampleConfigurationTemplate:
    Type: AWS::ElasticBeanstalk::ConfigurationTemplate
    Properties:
      ApplicationName:
        Ref: sampleApplication
      Description: AWS ElasticBeanstalk Sample Configuration Template
      OptionSettings:
        - Namespace: aws:autoscaling:asg
          OptionName: MinSize
          Value: '2'
        - Namespace: aws:autoscaling:asg
          OptionName: MaxSize
          Value: '6'
        - Namespace: aws:elasticbeanstalk:environment
          OptionName: EnvironmentType
          Value: LoadBalanced
        - Namespace: aws:autoscaling:launchconfiguration
          OptionName: IamInstanceProfile
          Value: !Ref MyInstanceProfile
      SolutionStackName: 64bit Amazon Linux 2018.03 v2.26.0 running Multi-container Docker 19.03.13-ce (Generic)
  sampleEnvironment:
    Type: AWS::ElasticBeanstalk::Environment
    Properties:
      ApplicationName:
        Ref: sampleApplication
      Description: AWS ElasticBeanstalk Sample Environment
      TemplateName:
        Ref: sampleConfigurationTemplate
      VersionLabel:
        Ref: sampleApplicationVersion
  MyInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Description: Beanstalk EC2 role
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
  MyInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref MyInstanceRole```

【问题讨论】：

标签： amazon-web-services amazon-elastic-beanstalk amazon-cloudformation amazon-iam amazon-ecr

【解决方案1】：

通常您会指定角色的ARN：

            Principal:
              AWS: !GetAtt MyInstanceRole.Arn

更新：

  MyInstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Description: Beanstalk EC2 role
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker
        - arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier
      Policies:
        - PolicyName: AllowGetAuthorizationToken
          PolicyDocument: |
            {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Sid": "ECSAccess",
                      "Effect": "Allow",
                      "Action": [
                          "ecr:GetAuthorizationToken",
                      ],
                      "Resource": "*"
                  }
              ]
          }

【讨论】：

嗨@Marcin，我在创建堆栈时收到Resource handler returned message: "Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid repository policy provided' (Service: Ecr, Status Code: 400, Request ID: 62b7161d-a133-4791-9cb3-0392431e0eb1, Extended Request ID: null)" (RequestToken: 155b2c33-f126-f4a2-4a87-e1ae90668862, HandlerErrorCode: GeneralServiceException)这个错误
是否需要在 MyInstanceRole Principal: Service: 部分添加有关 ECR 的内容？
@NatheeshkumarRangasamy 你根本不需要RepositoryPolicyText，因为你已经在 ecr 政策中扮演了重要角色
ok @Marcin，现在在运行 Dockerrun.json 时，我收到 ECS task stopped due to: Task failed to start. (web: CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::182107200133:assumed-role/SIVVVAMMM-MyInstanceRole-TRQKYWE4PVO6/i-00343ad943a37d429 is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400, request id db: ) 错误。那么我们如何提供对我的图像的读取权限呢？
@NatheeshkumarRangasamy 你可以添加它，就像在更新的答案中一样。