Amazon web services 限制用户在AWS ECS Repo中推/拉特定Docker映像
有没有一种方法可以让用户只允许推/拉他们在AWS ECS Repo中拥有的特定Docker映像 您可以在帐户中配置IAM用户以推拉图像Amazon web services 限制用户在AWS ECS Repo中推/拉特定Docker映像,amazon-web-services,amazon-ecs,Amazon Web Services,Amazon Ecs,有没有一种方法可以让用户只允许推/拉他们在AWS ECS Repo中拥有的特定Docker映像 您可以在帐户中配置IAM用户以推拉图像 { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::aws_account_i
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::aws_account_id:user/push-pull-user-1",
"arn:aws:iam::aws_account_id:user/push-pull-user-2"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
参考资料:此时您可能已经有了解决方案,但是在此处共享一些信息:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
考虑2个具有以下权限的用户:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
ecr用户
具有策略ARN:ARN:aws:iam::aws:policy/AdministratorAccess
谁对aws中的所有资源拥有管理权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
vault用户
具有策略ARN:ARN:aws:iam::aws:policy/service role/AmazonECSTaskExecutionRolePolicy
具有有限权限的用户:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
您可以从IAM->Users获取此信息,然后单击附加到用户的策略名称
考虑以下两个与用户关联的存储库ecr用户
和vault用户
回购ecr权限
链接到具有以下权限的ecr用户
:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "denyAdmin",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::****:user/ecr-user"
},
"Action": [
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:ListImages",
"ecr:PutImage",
"ecr:PutLifecyclePolicy",
"ecr:UploadLayerPart"
]
}
]
}
因此,使用上述策略,您甚至可以限制管理员用户(ecr用户
)推送到该回购
$ docker push ****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions:1.0
The push refers to repository [****.dkr.ecr.us-east-1.amazonaws.com/ecr-permissions]
fe6a7a3b3f27: Layer already exists
d0673244f7d4: Layer already exists
d8a33133e477: Layer already exists
denied: User: arn:aws:iam::****:user/ecr-user is not authorized to perform: ecr:UploadLayerPart on resource: arn:aws:ecr:us-east-1:****:repository/ecr-permissions with an explicit deny
类似地,您可以通过如下所示调整ECR repo策略,允许对ECR repo具有只读权限的非管理员/用户[在本例中为vault用户]可以推送docker映像
在添加上述策略之前:
添加策略后:
这些政策是根据ECR中的回购协议定义的
ECR->Repositories->permissions
向此策略添加条件,以进一步限制用户推/拉特定图像。@Asdfg和Ashan,非常感谢您的回复。我不确定在哪里以及如何设置限制/允许用户推/拉特定图像的条件。如果你能给我举个例子,我将不胜感激。