我正在使用以下 terraform 块创建 AWS IAM 角色。这将启用
AmazonECSTaskExecutionRolePolicy
权限。
resource "aws_iam_role" "my_ecs_task_execution_role" {
name_prefix = "my_ecs_task_execution_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
description = "Allows ECS tasks to call AWS ECS on your behalf."
}
我正在使用上述 IAM 角色来创建如下所示的 AWS Batch 作业定义。
resource "aws_batch_job_definition" "job_def_m_8_c_4" {
name = "m_8_c_4"
type = "container"
platform_capabilities = ["EC2"]
container_properties = <<CONTAINER_PROPERTIES
{
"executionRoleArn": "${aws_iam_role.my_ecs_task_execution_role.arn}",
"image": "<image_uri>",
"memory": 8000,
"vcpus": 4
}
CONTAINER_PROPERTIES
timeout {
attempt_duration_seconds = 21600
}
}
我还添加了必要的作业队列和计算环境。
但是这里的问题是,当我运行
terraform apply
时,我第一次遇到一些奇怪的错误-
error creating Batch Job Definition (m_8_c_4): : Error executing request, Exception :
arn:aws:iam::xxx:role/my_ecs_task_execution_rolexyz role is not authorized.,
RequestId: xyzzys-xyzxyz-xyzxyxz
我使用 Terraform - v1.4.4
我已经尝试过的解决方案
我尝试将
"AWS": "arn:aws:iam::<account_id>:root"
添加到 aws_iam_role.my_ecs_task_execution_role
并再次得到相同的结果。
我还验证了 STS 端点,它们在所有区域都处于活动状态。
您的角色似乎没有任何权限。定义
assume_role_policy
只会让 ECS 承担该角色。
考虑将
AmazonECSTaskExecutionRolePolicy
AWS 托管策略附加到您的角色:
resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
role = aws_iam_role.my_ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}