以下是EC2实例承担的角色:
"AScaleLaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties":{
…..
"IamInstanceProfile": { "Ref": "EC2InstProfl” },
…..
}
}
"EC2InstProfl": {
"Type": "AWS::IAM::InstanceProfile",
"Properties":{
"Path": "/",
"Roles": [ { "Ref": "EC2InstRole" } ]
}
}
"EC2InstRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "ec2.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"Path": "/",
"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" ],
}
}
以下是分配给在该EC2实例中运行的任务(码头集装箱)的SomeTaskRole
:
"EcsTaskDef": {
"Type": "AWS::ECS::TaskDefinition",
"Properties":{
"NetworkMode": "host",
"TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole",
"ContainerDefinitions": [
{
"Name": “someapp",
"Image": “someaccout/someimage:test",
}
]
}
}
SomeTaskRole
在哪里:
{
"Version": "2012-10-17",
"Statement": [
{
"Description": “Allow access to all EC2/ELB/cloudformation/s3 and aim passrole",
…..
"Resource": "*"
},
{
"Description": “Assume iam User role“,
…..
"Effect": "Allow"
},
{
"Description": “Assume xyz role across all accouts“,
…..
"Effect": "Allow"
},
{
"Description": “Allow * access to all resource across n regions",
….
},
{
"Description": “Deny delete permission on network related resources like Subnets/Route/VPC/VPN/IGW etc…*,
….
},
{
"Description": “There are many such rules",
….
}
]
}
如果将EC2InstRole
分配给EC2实例,则Cloudformation堆栈将成功启动。
如果将SomeTaskRole
分配给EcsTaskDef
和 EC2InstRole
分配给EC2实例,则Cloudformation堆栈启动将挂起数小时,并且出错。尚未找到确切的错误。如果删除"TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole"
,则CloudFormation堆栈将成功启动。
1)
AWS IAM服务是否同时允许两者?
将角色分配给ECS任务
和
要为EC2实例分配角色?
2)
如果是,EC2角色中给定的规则是否重叠(并覆盖)ECS任务角色中给定的规则?
ECS任务仅获得分配给该任务的角色/权限。它没有得到主机的许可。