ECR IAM policy document for EKS node accessSetting environment variable in kubernetes before pulling an imageGive EC2 IAM role read access to S3 bucketCreate an IAM Policy that allows everything except IAM except PassRoleWhich IAM permissions are needed for ec2-create-image?Kubernetes/Flannel doens't work in private networkAutomatically login on Amazon ECR with Docker SwarmAWS access token for user assuming roleAWS could not get token: AccessDenied: User: ARN is not authorized to perform: sts:AssumeRole on resource: Role:ARNAmazon EKS: how to configure S3 access for worker nodes?possible for ec2 to have cross account bucket access without using iam user?Share IAM Policy across accounts in Organizations
Why didn't the Space Shuttle bounce back into space as many times as possible so as to lose a lot of kinetic energy up there?
What makes accurate emulation of old systems a difficult task?
What does "function" actually mean in music?
What was Apollo 13's "Little Jolt" after MECO?
Can a level 2 Warlock take one level in rogue, then continue advancing as a warlock?
How to have a sharp product image?
Apply a different color ramp to subset of categorized symbols in QGIS?
What is this word supposed to be?
Crossed out red box fitting tightly around image
What is the best way to deal with NPC-NPC combat?
std::unique_ptr of base class holding reference of derived class does not show warning in gcc compiler while naked pointer shows it. Why?
A faster way to compute the largest prime factor
Why do real positive eigenvalues result in an unstable system? What about eigenvalues between 0 and 1? or 1?
Complex numbers z=-3-4i polar form
How to keep bees out of canned beverages?
Is Diceware more secure than a long passphrase?
"My boss was furious with me and I have been fired" vs. "My boss was furious with me and I was fired"
Older movie/show about humans on derelict alien warship which refuels by passing through a star
"Whatever a Russian does, they end up making the Kalashnikov gun"? Are there any similar proverbs in English?
Is there really no use for MD5 anymore?
How do I reattach a shelf to the wall when it ripped out of the wall?
Extracting Dirichlet series coefficients
Multiple options vs single option UI
Why do games have consumables?
ECR IAM policy document for EKS node access
Setting environment variable in kubernetes before pulling an imageGive EC2 IAM role read access to S3 bucketCreate an IAM Policy that allows everything except IAM except PassRoleWhich IAM permissions are needed for ec2-create-image?Kubernetes/Flannel doens't work in private networkAutomatically login on Amazon ECR with Docker SwarmAWS access token for user assuming roleAWS could not get token: AccessDenied: User: ARN is not authorized to perform: sts:AssumeRole on resource: Role:ARNAmazon EKS: how to configure S3 access for worker nodes?possible for ec2 to have cross account bucket access without using iam user?Share IAM Policy across accounts in Organizations
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?
In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.
In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).
I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?
amazon-web-services kubernetes amazon-ecr
asked Apr 18 at 17:11
Ai SuAi Su
61
add a comment |
What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?
In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.
In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).
I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?
amazon-web-services kubernetes amazon-ecr
asked Apr 18 at 17:11
Ai SuAi Su
61
add a comment |
What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?
In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.
In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).
I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?
amazon-web-services kubernetes amazon-ecr
asked Apr 18 at 17:11
Ai SuAi Su
61
What is the correct way to manage EKS node access to ECR via the IAM policy documents when I want to limit who can start jobs using different images?
In a simplified example, I have users A and B and ECR repositories C and D. User A has access to both repositories and user B should only have access to C. I want both users to be able to use the same EKS cluster (and the same set of nodes), and A should be able to run jobs on EKS using images from either C or D while B should be able to run only jobs using images from C but not D.
In my current setup, all EC2 nodes in the EKS cluster use a common IAM role which has AmazonEC2ContainerRegistryReadOnly attached to it so that it can read from all ECR repositories. Repository C gives user A and the EC2 node role read access, and repository D gives both users A and B as well as the EC2 node role read access. However, this means that both user A and user B can start jobs that read from either repository C or D, which is not what I want (user B shouldn't be able to start jobs reading from repository D).
I understand that one possibility would be to partition the set of nodes and assign them different EC2 IAM instance profiles and set up the ECR IAM policy documents so that the first set of nodes has access to repositories C and D while a second set of nodes only has access to C, but is there an alternative to this that avoids having to set up a set of nodes for each unique set of user permissions?
amazon-web-services kubernetes amazon-ecr
amazon-web-services kubernetes amazon-ecr
asked Apr 18 at 17:11
Ai SuAi Su
61
asked Apr 18 at 17:11
Ai SuAi Su
61
asked Apr 18 at 17:11
Ai SuAi Su
61
asked Apr 18 at 17:11
Ai SuAi Su
61
asked Apr 18 at 17:11
Ai SuAi Su
61
61
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963700%2fecr-iam-policy-document-for-eks-node-access%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963700%2fecr-iam-policy-document-for-eks-node-access%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
