Docker registry, S3 and permissions
There are a couple of bazillion blog posts saying “yah just did my docker registry on S3”.
It’s not so easy, though. Cause what if you want to limit access to a certain IAM user? Yup, you need to go deep (well, a bit) into the policy thing of Amazon. Which sounds simple, but isn’t.
I got “HTTP 500” errors from the docker registry when I first deployed. My configuration, which was wrong, looked like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
"RegistryIAMUser" : { "Type" : "AWS::IAM::User" }, "RegistryIAMUserAccessKey" : { "Type" : "AWS::IAM::AccessKey", "Properties" : { "UserName" : { "Ref" : "RegistryIAMUser" } } }, "Bucket" : { "Type" : "AWS::S3::Bucket", "Properties" : { "BucketName" : "flypenguin.docker-registry" } }, "RegistryPrivateAccess" : { "Type" : "AWS::S3::BucketPolicy", "Properties" : { "Bucket" : {"Ref":"Bucket"}, "PolicyDocument": { "Statement":[{ "Action":[ "s3:*" ], "Effect":"Allow", "Resource": { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "Bucket" } , "/*" ]]}, "Principal": {"AWS" : {"Fn::GetAtt":["RegistryIAMUser","Arn"]}} }] } } } |
Since this didn’t work really well, I googled my a** off and found a little post, which used a UserPolicy (instead of a bucket policy, which is basically the other way around), but did one thing different. My working configuration is now … (let’s see if you can see the difference):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[... same as above ...] "UserPolicyRegistryPrivateAccess" : { "Type" : "AWS::IAM::Policy", "Properties" : { "PolicyName" : "AccessToDockerBucket", "Users" : [ {"Ref":"RegistryIAMUser"}], "PolicyDocument" : { "Version" : "2012-10-17", "Statement" : [{ "Effect":"Allow", "Action":[ "s3:*" ], "Resource": [ { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref":"Bucket"} , "/*" ]]}, { "Fn::Join" : ["", ["arn:aws:s3:::", {"Ref":"Bucket"} ]]} ] }] } } } |
See it?
It’s the two resources now. You need not only “resource/*” as a target, you also need “resource” itself as a target. Which makes sense if you know it and think about it. If you don’t … it’s a bit annoying. And time-consuming.
Reply