5

我想将 EC2 实例限制为具有相同命名空间的 EC2 容器注册表 (ECR) 存储库。

IAM 实例角色只能拉取AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-namespace/.... 没有其他的。

我在 EC2 实例角色上尝试了以下 IAM 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490955256000",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
            ]
        }
    ]
}

但是我能够docker pull从该实例的所有存储库中获取图像。例如AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com/test-repo:latest

我看不出我做错了什么。不能是资源级权限。上述所有动作都支持它们,除了ecr:GetAuthorizationToken.

由于我们有很多存储库,我不想在每个存储库上设置资源权限。

4

1 回答 1

2

ecr:GetAuthorizationToken不支持资源级权限。您需要授予"Resource": "*"ecr:GetAuthorizationToken操作。其他操作可以限制为您希望访问的特定资源。

在策略中,它看起来像这样:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490955256000",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1490955256001",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage"
            ],
            "Resource": [
                "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/test-namespace/*"
            ]
        }
    ]
}
于 2019-12-10T23:54:17.663 回答