Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Most restrictive Document Policy for an S3 Gateway Endpoint to pull docker image in ECR from ECS

0

I am deploying an ECS Fargate cluster with a service in private subnets. To enable tasks to pull the Docker image from ECR, I have created three Endpoints (dkr, ecr API, and S3) in my VPC.

Focusing on the S3 endpoint, I would like to associate the most restrictive policy possible so that only tasks can use this endpoint and only access the specific S3 bucket where ECR stores the images.

In the official AWS documentation, they propose the following policy:

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
    }
  ]
}

This policy is okay, but it only restricts access to the bucket through the endpoint. I would like a policy that specifically allows only ECS to access it and not other resources that may be in the same private subnets with access to the endpoint. I have tried this policy:

{
  "Statement": [
    {
      "Sid": "Access-to-specific-bucket-only-from-ecs-task",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"]
    }
  ]
}

But it doesn't work, task can't pull the image and I don't know why.

Can you help me out?

Argomenti
ArchiviazioneServerlessContainerSicurezza, identità e conformità
Tag
Servizio di archiviazione semplice di AmazonAWS FargateRegistro dei container di Amazon Elastic (ECR)Servizio container Amazon ElasticPolitiche IAM
Lingua
English
profile picture
jaimeelso
posta 7 mesi fa398 visualizzazioni
2 Risposte
0

Usually you associate an IAM role to the service, have you tried that as the principal?

profile picture
ESPERTO
Gary Mclean
con risposta 7 mesi fa
0

have you tried using a condition as follows? replacing Role name with the ECS Task Role?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Allow-access-to-specific-IAM-role",
      "Effect": "Allow",
      "Principal": "*",
        "Action": [
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"],
      "Condition": {
        "ArnEquals": {
          "aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
        }
      }
    }
  ]
}
profile picture
ESPERTO
Gary Mclean
con risposta 7 mesi fa
  • jaimeelso
    7 mesi fa

    I just tried to modify it as you suggested, and it doesn't work, neither by setting the ExecutionRoleArn of the service nor with the TaskRoleArn of the task.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente