时间戳

首页 > 解决方案 > Docker 推送到 AWS ECR 问题

amazon-web-services - Docker 推送到 AWS ECR 问题

问题描述

几天来,我面临将图像从詹金斯推送到 ECR 并重新启动服务的问题。

我的 Jenkins 实例通过 ECS 托管在 EC2 实例上。(它也被构建为 docker 镜像)。

我想做的是构建映像,登录到 ECR,将映像推送到那里并重新启动服务。登录 ECR 有问题:

  1. 当我执行“取消设置 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时,“aws ecr get-login --region us-east-1”命令成功,但推送图像因“没有基本身份验证凭据”而停止。
  2. 当我不调用“未设置 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI”时,我什至无法登录 ECR。

我做了很多谷歌搜索和分析,但找不到任何答案。任何想法可能导致问题?是 IAM 设置还是 ecs-agent 的东西?

用于运行 jenkins 任务的策略:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "ecr:GetAuthorizationToken"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "GetAuthorizationToken"
    },
    {
        "Action": [
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage",
            "ecr:InitiateLayerUpload",
            "ecr:UploadLayerPart",
            "ecr:CompleteLayerUpload"
        ],
        "Resource": [
            "arn:aws:ecr:*:*:repository/salesiq*",
            "arn:aws:ecr:*:*:repository/comhub*",
            "arn:aws:ecr:*:*:repository/ssrt*",
            "arn:aws:ecr:*:*:repository/reveal*",
            "arn:aws:ecr:*:*:repository/se-*"
        ],
        "Effect": "Allow",
        "Sid": "EcrManagement"
    },
    {
        "Condition": {
            "ArnLike": {
                "ecs:cluster": [
                    "arn:aws:ecs:*:*:cluster/salesiq*",
                    "arn:aws:ecs:*:*:cluster/comhub*",
                    "arn:aws:ecs:*:*:cluster/ssrt*",
                    "arn:aws:ecs:*:*:cluster/reveal*",
                    "arn:aws:ecs:*:*:cluster/se-*"
                ]
            }
        },
        "Action": [
            "ecs:RunTask",
            "ecs:StartTask",
            "ecs:StopTask",
            "ecs:DescribeClusters",
            "ecs:DescribeServices",
            "ecs:ListClusters",
            "ecs:DescribeContainerInstances",
            "ecs:StopTask"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "EcsManagement"
    },
    {
        "Action": [
            "ecs:List*",
            "ecs:Describe*",
            "ecr:Describe*",
            "ecr:Get*",
            "ecr:Describe*",
            "ecr:List*",
            "cloudwatch:Get*",
            "cloudwatch:List*",
            "cloudwatch:Describe*",
            "ecs:UpdateService"
        ],
        "Resource": "*",
        "Effect": "Allow",
        "Sid": "EcsListing"
    }
]

}

标签: amazon-web-servicesdocker

解决方案

我认为您可能缺少的是命令docker login命令本身。您的问题中没有提到。所以你需要以下内容;

    aws ecr get-login --region region --no-include-email

然后你想执行上述命令的输出;

    docker login -u AWS -p password https://aws_account_id.dkr.ecr.us-east-1.amazonaws.com

或者,您可以运行;

    $(aws ecr get-login --no-include-email --region eu-west-1)

接着

    docker push $ecr_repo:latest

我在管道中运行的 bash 脚本示例;

    #!/bin/bash
    set -ex

    # $branch: current git branch
    # $commit: hash of the current git commit
    # $ecr_repo: Self explanatory

    $(aws ecr get-login --no-include-email --region eu-west-1)
    docker pull $ecr_repo:latest
    docker build --cache-from $ecr_repo:latest -t image_name .
    docker tag image_name:latest $ecr_repo:$commit
    if [ "$branch" = "master" ]; then
      docker tag image_name:latest $ecr_repo:latest
      docker push $ecr_repo:latest
    fi
    docker push $ecr_repo:$commit

推荐阅读