我正在尝试在云形成json中创建ECS服务。
这是我创建的角色(我目前正在使用一个角色来做多项事情,稍后会将它们分解)。
"LambdaBrownlowRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "LambdaBrownlowRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"events.amazonaws.com",
"ecs-tasks.amazonaws.com",
"ecs.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Policies": [
{
"PolicyName": "LambdaBrownlowPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::afl-game-data/*",
"arn:aws:s3:::afl-game-data"
]
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:CreateService",
"ecs:DescribeServices",
"ecs:UpdateService"
],
"Resource": "*"
}
]
}
}
]
}
},
这是相关资源的 json 片段。
"ECSBrownlowTaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Family": "afl-brownlow-scrape",
"ExecutionRoleArn": {
"Fn::GetAtt": [
"LambdaBrownlowRole",
"Arn"
]
},
"Memory": "512",
"Cpu": "256",
"TaskRoleArn": {
"Fn::GetAtt": [
"LambdaBrownlowRole",
"Arn"
]
},
"RequiresCompatibilities": [
"FARGATE"
],
"NetworkMode": "awsvpc",
"ContainerDefinitions": [
{
"Name": "BrownlowScrape",
"Image": {
"Ref": "ECRRepositoryUriParameter"
},
"Essential": true,
"Environment": [
{
"Name": "YEAR_TO_QUERY",
"Value": {
"Ref": "YearToQueryParameter"
}
},
{
"Name": "BUCKET_NAME",
"Value": {
"Ref": "BucketNameParameter"
}
},
{
"Name": "DATA_PATH",
"Value": {
"Ref": "DataPathParameter"
}
}
],
"LogConfiguration": {
"LogDriver": "awslogs",
"Options": {
"awslogs-group": {
"Ref": "AFLScrapeLogGroup"
},
"awslogs-region": {
"Ref": "AWS::Region"
},
"awslogs-stream-prefix": "ecs"
}
}
}
]
}
},
"AFLScrapeLogGroup": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": "/ecs/afl-brownlow-scrape"
}
},
"ECSServiceScrapeAFL": {
"Type": "AWS::ECS::Service",
"Properties": {
"Cluster": "afl-brownlow-cluster",
"ServiceName": "ServiceECSBrownlow",
"TaskDefinition": {
"Ref": "ECSBrownlowTaskDefinition"
},
"LaunchType": "FARGATE",
"DesiredCount": 0,
"Role": {
"Fn::GetAtt": ["LambdaBrownlowRole", "Arn"]
}
}
},
"ECSScrapeScheduledRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Name": "ecs-brownlow-scrape-weekly",
"Description": "Scheduled rule for ECS brownlow-scrape",
"RoleArn": {
"Fn::GetAtt": [
"LambdaExecutionRole",
"Arn"
]
},
"ScheduleExpression": "cron(0/10 * ? * * *)",
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"ECSServiceScrapeAFL",
"Arn"
]
},
"Id": "ecs-brownlow-scrape",
"EcsParameters": {
"TaskDefinitionArn": {
"Ref": "ECSBrownlowTaskDefinition"
},
"TaskCount": 1,
"LaunchType": "FARGATE"
}
}
]
}
}
在创建 ECSServiceScrapeAFL 时,出现以下错误:
资源处理程序返回消息:“提供的请求无效:CreateService 错误:访问被拒绝(服务:AmazonECS;状态代码:400;错误代码:AccessDeniedException;请求 ID:XXX;代理:null)”(RequestToken:XXX,HandlerErrorCode:InvalidRequest) .
有人知道我错过了什么吗?
我认为可能发生的情况是您已将任务和执行角色设置为 LambdaBrownlowRole。您应该仅在此处将任务角色设置为 LambdaBrownlowRole。执行角色授予 ECS 代理进行 AWS API 调用的权限,ECS 代理负责管理集群中的任务,而任务角色允许任务中的容器承担 IAM 角色来调用 AWS API,而无需在容器内使用 AWS 凭证。您将需要更新执行角色以允许 ECS 创建/维护集群。