8

我正在尝试构建我的测试项目,但每次它都在pre_build中失败。我检查了错误日志,它说:

[容器] 2017/03/26 19:28:21 调用 GetAuthorizationToken 操作时发生错误(AccessDeniedException):用户:arn:aws:sts::074181202020:assumed-role/codebuild-Testing-project-service-role/ AWSCodeBuild 无权执行:ecr:GetAuthorizationToken on resource:*

我已尝试附加以下政策:

  • IAMSelfManageServiceSpecificCredentials
  • IAM完全访问
  • AmazonS3ReadOnlyAccess
  • CodeBuildPolicy-Testing-project-1490555003058
  • IAM只读访问
  • AWSCodeBuildAdminAccess
  • IAM用户SSH密钥
  • AWSCodeCommitFullAccess
  • IAM完全访问
  • AmazonS3FullAccess
  • 管理员访问
  • AWSElasticBeanstalkFullAccess
  • AWSCodePipelineFullAccess
  • WSCodeBuildAdminAccess

但它仍然给我同样的错误

任何帮助,将不胜感激!谢谢!

4

5 回答 5

20

实际上 getAuthorizationToken 错误无法在 ECR 中解决(因为您甚至不会在那里看到 ecr:getAuthorizationToken)。

您需要转到 IAM 面板 => Roles => CodeBuild Role => Grant Policy => AmazonEC2ContainerRegistryReadOnly

这使它能够获得令牌

于 2018-09-10T19:24:07.227 回答
8

您需要将权限添加到 ECR 存储库策略,而不是 CodeBuild 服务角色。此页面有一个回购策略示例: https ://docs.aws.amazon.com/codebuild/latest/userguide/sample-ecr.html

于 2017-03-27T16:21:17.987 回答
3

当您配置 AWS Codebuild 时,它会创建服务角色并在其中附加默认策略以写入日志并将文件放入 S3 存储桶。为了让 CodeBuild 底层实例能够访问 ECR,您应该将策略附加到该服务角色。

您可以使用一些托管策略,例如:

AmazonEC2ContainerRegistryFullAccess

了解更多信息:

https://aws.amazon.com/blogs/devops/build-a-continuous-delivery-pipeline-for-your-container-images-with-amazon-ecr-as-source/

于 2019-01-17T20:30:40.967 回答
1

这是我管理 ECR 的政策。然后,我将它附加到我想要允许访问的用户:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ecr:GetDownloadUrlForLayer",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:ListImages",
                "ecr:DeleteRepository",
                "ecr:BatchDeleteImage",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy",
                "ecr:GetAuthorizationToken"
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage"
            ]
        }
    ]
}
于 2018-11-26T13:34:10.390 回答
0

我遵循此指南https://www.stacksimplify.com/aws-eks/aws-devops-eks/learn-to-master-devops-on-aws-eks-using-aws-codecommit-codebuild-codepipeline/#step -08-review-the-buildspecyml-for-codebuild-environment-variables

还要注意的是,AWS 会创建两个角色(Code Pipelines 角色和 Code Build 角色)。您需要将策略 AmazonEC2ContainerRegistryFullAccess 添加到代码构建角色。codebuild 角色的名称将是:codebuild-<codebuild_project>-service-role,请勿将上述策略添加到 AWSCodePipelineServiceRole--。

于 2021-07-19T03:31:05.703 回答