31

我正在试用 AWS ECR 并将新标签推送到我们的私有存储库。

它是这样的:

export DOCKER_REGISTRY=0123123123123.dkr.ecr.us-east-1.amazonaws.com
export TAG=0.1
docker build -t vendor/app-name .
`aws ecr get-login --region us-east-1`" # generates docker login
docker tag vendor/app-name $DOCKER_REGISTRY/vendor/app-name:$TAG
docker push $DOCKER_REGISTRY/vendor/app-name:$TAG

登录有效,标签被创建,我看到它docker images,但推送神秘地失败。

The push refers to a repository [0123123123123.dkr.ecr.us-east-1.amazonaws.com/vendor/app-name] (len: 2)
b1a1d76b9e52: Pushing [==================================================>]     32 B/32 B
Error parsing HTTP response: unexpected end of JSON input: ""

这很可能是配置错误,但我不知道如何从中获得更多输出。该命令没有调试级别选项,没有其他日志,而且我无法拦截网络流量,因为它似乎已加密。

4

3 回答 3

61

遇到同样的问题。对我来说,确保我正在推动的 IAM 用户获得了ecr:BatchCheckLayerAvailability许可。

我原本打算制定“仅推送”策略,但没有意识到成功推送需要此权限。

于 2015-12-22T21:59:49.503 回答
8

您需要的最低保单:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ecr:UploadLayerPart",
        "ecr:PutImage",
        "ecr:InitiateLayerUpload",
        "ecr:CompleteLayerUpload",
        "ecr:BatchCheckLayerAvailability"
      ],
      "Resource": "arn:aws:ecr:<your region>:<your account id>:repository/<your repository name>"
    }
  ]
}
于 2020-04-21T21:02:17.637 回答
3

除了@Ethan 的回答:我试图找到将 docker 映像推送到 AWS 注册表所需的最小权限集。截至今天,最小集合是:

    {
        "Sid": "PushToEcr",
        "Effect": "Allow",
        "Action": [
            "ecr:BatchCheckLayerAvailability",
            "ecr:CompleteLayerUpload",
            "ecr:GetAuthorizationToken",
            "ecr:InitiateLayerUpload",
            "ecr:PutImage",
            "ecr:UploadLayerPart"
        ],
        "Resource": "*"
    }

据我了解,Resource一定是*因为其中一些操作无法正常工作。欢迎改进!

于 2020-04-20T09:58:02.390 回答