问题描述

我在Dockerfile中间的某行中有以下一行，用于从我的私有ECR中检索图像.

I have the following line somewhere in the middle of my Dockerfile to retrieve an image from my private ECR.

FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401

这是我尝试构建此代码时在AWS Codebuild中遇到的错误:

This is the error that I get in AWS Codebuild when trying to build this:

如何才能以最安全的方式提供这些凭据，并且也可以通过terraform来提供这些凭据?

How can one provide these credentials in the most secure way, and in a way that can also be terraformed?

推荐答案

有多种方法可以实现.

使用aws访问和密钥.在其中您可以在ec2机器上设置aws凭证并运行ecr login命令. aws ecr get-login --no-include-email --registry-ids <some-id> --region eu-west-1，然后docker pull应该工作.但这不是推荐的安全方式.

Using aws access and secret key. In which you set the aws credentials on the ec2 machine and run ecr login command. aws ecr get-login --no-include-email --registry-ids <some-id> --region eu-west-1 and then docker pull should work. But this is not a recommended secure way.

我更喜欢使用AWS 默认角色.

What I prefer is using aws iam roles.

假设您要将此图像拖到使用terraform生成的ec2机器上.利用IAM角色.

Assuming you want to pull this image on your ec2 machine that was brought up using terraform. Make use of iam roles.

• 手动创建IAM角色，或使用terraform iam资源.
• 有关iam策略的内容，请参考此.
• 使用terraform 实例资源来使用ec2时属于 iam_instance_profile 属性的，此属性的值应是您创建的IAM角色的名称.

• Create an iam role manually or using terraform iam resource.
• For contents of iam policy refer this.
• While bringing ec2 using terraform instance resource make use of iam_instance_profile attribute, the value of this attribute should be the name of iam role you created.

这应该足以以安全的方式自动从ECR中提取docker映像.

This should be enough to automatically pull docker images from ECR in a secure way.

希望这会有所帮助.

这篇关于“没有基本认证凭证"；尝试从专用ECR提取图像时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！