我正在为 ECS 创建云形成堆栈,但出现此访问被拒绝错误,并且我的堆栈失败。
错误:资源处理程序返回消息:“提供的请求无效:CreateService 错误:访问被拒绝(服务:AmazonECS;状态代码:400;错误代码:AccessDeniedException;请求 ID:c894016a-395d-4468-92fa-b63a2a4642f9;代理: null)”(RequestToken:5d151803-6b53-02ea-8903-7c34934b251e,HandlerErrorCode:InvalidRequest)
我尝试过使用互联网上提供的多种解决方案,但这些都不适合我。我什至尝试创建一个单独的 ExecutionRole 但它给出了相同的错误。我尝试使用 root 用户及其工作在我的个人帐户中创建相同的堆栈。但是当我以 IAM 用户身份登录时,它会出现访问被拒绝的错误。
我正在使用嵌套堆栈。这是我的 root.yaml 文件,您可以在您的帐户中尝试。
root.yaml:https://cloudformation-exam-paranjay.s3.ap-south-1.amazonaws.com/exam2/root.yaml
ECS.yml
---
AWSTemplateFormatVersion: '2010-09-09'
Description: The template used to create an ECS Service from the ECS Console.
Parameters:
ECSClusterName:
Type: String
Default: ecs-tutorial
ECSServiceName:
Type: String
Default: ecs-tutorial-td
LoadBalancerName:
Type: String
Default: ecs-tutorial-lb
WAFName:
Type: String
Default: AllowAllTrafficAcl
Resources:
ECSService:
Type: AWS::ECS::Service
Properties:
Cluster: ecs-tutorial
CapacityProviderStrategy:
- CapacityProvider: FARGATE
Base: 0
Weight: 1
TaskDefinition: !Ref TaskDefinition #arn:aws:ecs:us-east-1:818971154557:task-definition/ecs-tutorial-td:1
ServiceName: ecs-tutorial-td
# SchedulingStrategy: REPLICA
DesiredCount: 2
LoadBalancers:
- ContainerName: tindog
ContainerPort: 80
LoadBalancerName:
Ref: AWS::NoValue
TargetGroupArn:
Ref: TargetGroup
NetworkConfiguration:
AwsvpcConfiguration:
# AssignPublicIp: ENABLED
SecurityGroups: !Split [",", !ImportValue ECSSecurityGroup]
Subnets:
- !ImportValue PrivateSubnet1Id
- !ImportValue PrivateSubnet2Id
DeploymentController:
Type: ECS
DependsOn:
- Listener
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: tindog-website-family
# TaskRoleArn: !ImportValue ECSTaskRoleARN # Import the IAM role ARN from another stack
Cpu: 512 #0.5cpu
Memory: 1024 #1gb
NetworkMode: awsvpc
# ExecutionRoleArn: !ImportValue ECSTaskRoleARN
ContainerDefinitions:
- Name: tindog
Image: paranjay1/tindog:latest
PortMappings:
- ContainerPort: 80
RequiresCompatibilities:
- EC2
- FARGATE
LoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Type: application
Name: ecs-tutorial-lb
SecurityGroups: !Split [",", !ImportValue ECSSecurityGroup]
Subnets:
- !ImportValue PublicSubnet1Id
- !ImportValue PublicSubnet2Id
TargetGroup:
DependsOn: LoadBalancer
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckPath: "/"
HealthCheckProtocol: HTTP
Name: ecs-tutorial-target-group
Port: 80
Protocol: HTTP
TargetType: ip
VpcId: !ImportValue VPCID
TargetGroupAttributes:
- Key: deregistration_delay.timeout_seconds
Value: '300'
Listener:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- Type: forward
TargetGroupArn:
Ref: TargetGroup
LoadBalancerArn:
Ref: LoadBalancer
Port: 80
Protocol: HTTP
MyWAFWebACL:
Type: AWS::WAFv2::WebACL
DependsOn: LoadBalancer
Properties:
Name: !Ref WAFName
Scope: REGIONAL
DefaultAction:
Allow: {} # An empty Allow block allows all traffic
VisibilityConfig:
CloudWatchMetricsEnabled: true # Enable CloudWatch metrics collection
MetricName: MyWafMetric # Define a metric name for WAF logs
SampledRequestsEnabled: true # Enable capturing a sample of requests for analysis
MyWAFWebACLAsgn:
DependsOn: MyWAFWebACL
Type: AWS::WAFv2::WebACLAssociation
Properties:
WebACLArn: !GetAtt MyWAFWebACL.Arn
ResourceArn: !Ref LoadBalancer
Outputs:
ClusterName:
Description: The cluster used to create the service.
Value:
Ref: ECSClusterName
ECSService:
Description: The created service.
Value:
Ref: ECSService
LoadBalancer:
Description: The created load balancer.
Value:
Ref: LoadBalancer
Listener:
Description: The created listener.
Value:
Ref: Listener
TargetGroup:
Description: The created target group.
Value:
Ref: TargetGroup
LoadBalancerDNSName:
Description: The DNS name of the load balancer.
Value: !GetAtt LoadBalancer.DNSName
Export:
Name: LoadBalancerDNSName
LoadBalancerARN:
Description: "ALB ARN"
Value: !GetAtt LoadBalancer.LoadBalancerArn
Export:
Name: "LoadBalancerARN"
您正在使用CFN创建ECS,但是我没有看到您有与CFN相关的权限。让我们尝试添加 CFN 权限创建资源和任何其他相关的,您可以查看此页面以查看您可能需要哪些权限https://aws.permissions.cloud/iam/cloudformation#cloudformation-CreateResource