授予 ECR 权限时如何解决 Explicit Deny
How to solve Explicity Deny when granting permissino to a ECR
我正在尝试向一组用户授予对 Elastice 容器存储库的访问权限,并且我使用以下托管策略:
- AmazonEC2ContainerRegistryPowerUser
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
- AmazonEC2ContainerRegistryReadOnly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
但是用户收到以下错误:
There was an error fetching the repositories: User: arn:aws:iam::XXXXX:user/USERA is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-1:XXXX:repository/* with an explicit deny
我做错了什么?
您可能附加了另一个拒绝 ecr:DescribeRepositories 权限的策略。请参阅 the policy evaluation flowchart in the AWS docs 了解其工作原理。您应该查看与用户关联的完整权限集并查找具有显式拒绝的策略。
我正在尝试向一组用户授予对 Elastice 容器存储库的访问权限,并且我使用以下托管策略:
- AmazonEC2ContainerRegistryPowerUser
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}
]
}
- AmazonEC2ContainerRegistryReadOnly
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
但是用户收到以下错误:
There was an error fetching the repositories: User: arn:aws:iam::XXXXX:user/USERA is not authorized to perform: ecr:DescribeRepositories on resource: arn:aws:ecr:us-east-1:XXXX:repository/* with an explicit deny
我做错了什么?
您可能附加了另一个拒绝 ecr:DescribeRepositories 权限的策略。请参阅 the policy evaluation flowchart in the AWS docs 了解其工作原理。您应该查看与用户关联的完整权限集并查找具有显式拒绝的策略。