我有以下Dockerrun.aws.json:
{
"AWSEBDockerrunVersion": "1","Authentication": {
"Bucket": "bucket-of-another-aws-account","Key": "docker/.dockercfg"
},"Image": {
"Name": "docker-image"
},"Ports": [
{
"ContainerPort": "8080"
}
]
}
我们的Docker容器的Elastic Beanstalk环境在客户的AWS账户中运行,而具有.dockercfg的S3存储桶属于我们的AWS账户.
出于测试目的,我将存储桶策略原则设置为*,以便任何人都可以下载.dockercfg文件.然而,Elastic Beanstalk无法下载该文件(“无法从bucket-of-another-aws-account下载身份验证凭据docker / .dockercfg”).
下一个测试是将文件移动到客户的AWS账户中的S3存储桶.那很有效.
问题是:是否可以在Dockerrun.aws.json中使用另一个帐户的存储桶?我在文档中找不到任何提示,我不想将DockerHub API密钥提供给我们的客户.
最佳答案
我们设法克服了“无法下载身份验证凭据”,如下所示:
原文链接:https://www.f2er.com/docker/437132.html1)在帐户B(尝试访问远程存储桶的帐户)中,查看Elastic Beanstalk环境的设置,了解它正在使用的实例角色名称(配置,实例(cog),实例配置文件)
2)仍然在帐户B中,在IAM管理器中,转到角色并找到EB用于实例的上一步骤中的ec2角色,并附加内联策略
{
"Version": "2012-10-17","Statement": [
{
"Sid": "BucketAccess","Effect": "Allow","Action": [
"s3:List*","s3:GetBucketLocation"
],"Resource": [
"arn:aws:s3:::bucket-of-another-aws-account"
]
},{
"Sid": "S3ObjectAccess","Action": [
"s3:GetObject*","s3:List*"
],"Resource": [
"arn:aws:s3:::bucket-of-another-aws-account/*"
]
}
]
}
3)在账户A中的目标s3桶上附加一个策略(其中222222222222是您的账户B的账号)
{
"Version": "2012-10-17","Statement": {
"Sid": "AccountBAccess1","Principal": {
"AWS": "222222222222"
},"Action": "s3:*","Resource": [
"arn:aws:s3:::bucket-of-another-aws-account","arn:aws:s3:::bucket-of-another-aws-account/*"
]
}
}
我知道它对OP的回答很晚(让我想到https://xkcd.com/979/)但我也无法在网上的文档中找到任何简明或明确的答案,并且有更多人转向AWS和Elastic Beanstalk我希望这可以用到其他!
