AWSLambda无法访问另一个账号的ECR镜像,提示无权限
- 在ECR存储库层面,授予Lambda所在账号的ARN以及Lambda所在账号的执行角色(ARN)访问存储库的权限。
示例代码:
aws ecr set-repository-policy
--repository-name my-ecr-repo
--policy-text '{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:role/lambda-execution-role",
"arn:aws:iam::222222222222:root"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}'
- 确保Lambda的执行角色(ARN)具有访问ECR存储库的权限。
示例代码:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:::*" }, { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "arn:aws:ecr:us-east-1:222222222222:repository/my-ecr-repo" } ] }
其中,222222222222为ECR存储库所在的AWS账号ID,my-ecr-repo为存储库名称。