问题描述

我的 Dockerfile 中间某处有以下行，用于从我的私有 ECR 中检索图像.

I have the following line somewhere in the middle of my Dockerfile to retrieve an image from my private ECR.

FROM **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401

这是我在尝试构建此代码时在 AWS Codebuild 中遇到的错误:

This is the error that I get in AWS Codebuild when trying to build this:

步骤 21/36:来自 **********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************:ff03401获取 https://**********.dkr.ecr.ap-southeast-1.amazonaws.com/prod/*************/manifests/ff03401:没有基本的身份验证凭据

如何以最安全的方式提供这些凭据，并且还可以terraformed?

How can one provide these credentials in the most secure way, and in a way that can also be terraformed?

推荐答案

有多种方法可以做到.

使用 aws 访问和密钥.您在其中设置 ec2 机器上的 aws 凭据并运行 ecr login 命令.aws ecr get-login --no-include-email --registry-ids <some-id>--region eu-west-1 然后 docker pull 应该可以工作.但这不是推荐的安全方式.

Using aws access and secret key. In which you set the aws credentials on the ec2 machine and run ecr login command. aws ecr get-login --no-include-email --registry-ids <some-id> --region eu-west-1 and then docker pull should work. But this is not a recommended secure way.

我更喜欢使用 aws iam 角色.

What I prefer is using aws iam roles.

假设您想在使用 terraform 启动的 ec2 机器上提取此图像.利用 iam 角色.

Assuming you want to pull this image on your ec2 machine that was brought up using terraform. Make use of iam roles.

• 手动创建 iam 角色或使用 terraform iam 资源.
• 有关 iam 政策的内容，请参阅this.李>
• 在使用 terraform 引入 ec2 时，实例资源 使用iam_instance_profile 属性，该属性的值应该是您创建的 iam 角色的名称.

• Create an iam role manually or using terraform iam resource.
• For contents of iam policy refer this.
• While bringing ec2 using terraform instance resource make use of iam_instance_profile attribute, the value of this attribute should be the name of iam role you created.

这应该足以以安全的方式自动从 ECR 拉取 docker 映像.

This should be enough to automatically pull docker images from ECR in a secure way.

希望这会有所帮助.

这篇关于“没有基本的身份验证凭据"尝试从私有 ECR 中提取图像时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！