AWS服务无法承担角色 [英] AWS Service Unable To Assume Role
问题描述
我有两个AWS Cloudformation堆栈,一个用于IAM角色,第二个用于创建AWS服务并使用Cloudformation将各自的角色导入其中。
I've two AWS Cloudformation stacks, one for IAM roles and the second to create an AWS service and import the respective roles into it using Cloudformation.
当10 +部署了服务,以下错误随机出现在1或2个服务上-
When 10+ services are deployed the following error appears randomly on 1 or 2 of the services -
AWS :: ECS :: Service服务无法假定角色并验证在负载均衡器上配置的
侦听器。请确认通过的ECS
服务角色具有适当的权限。
AWS::ECS::Service service Unable to assume role and validate the listeners configured on your load balancer. Please verify that the ECS service role being passed has the proper permissions.
如果所有服务都已拆除并且重新部署到ECS群集的服务,将出现错误,但对于不同的服务。
If all the services are torn down and the services redployed to the ECS cluster, the error appears but for different services.
对此的AWS修复程序可见此处
The AWS fix for this can be seen here
如果1或2损坏的服务将被拆除并重新部署服务,而不会出现问题。因此,该问题似乎仅在同时部署许多服务时才会发生-这表明这可能是Cloudformation中的IAM传播计时问题。
If the 1 or 2 broken services are torn down and redeployed the services deploy without issue. So the problem appears to only occur when many services are deployed at the same time - this indicates it may be an IAM propagation timing issue within Cloudformation.
我尝试添加取决于服务定义-
I've tried adding depends on in the service definition -
"service" : {
"Type" : "AWS::ECS::Service",
"DependsOn" : [
"taskdefinition",
"ECSServiceRole"
],
"Properties" : {
"Cluster" : { "Ref": "ECSCluster"},
"Role" : {"Ref" : "ECSServiceRole"},
etc...
}
}
但这不起作用。
当您可以注意到,我还删除了ECSServiceRole的IAM导入值,并用此处显示的内联资源策略替换了它-
As you can note, I've also removed the IAM import value for the ECSServiceRole and replaced it with an inline resource policy seen here -
"ECSServiceRole" : {
"Type" : "AWS::IAM::Role",
"Properties" : {
"AssumeRolePolicyDocument" : {
"Statement" : [
{
"Sid": "",
"Effect" : "Allow",
"Principal" : {
"Service" : [
"ecs.amazonaws.com"
]
},
"Action" : [
"sts:AssumeRole"
]
}
]
},
"Path" : "/",
"Policies" : [
{
"PolicyName" : "ecs-service",
"PolicyDocument" : {
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"sns:*"
],
"Resource" : "*"
}
]
}
}
]
}
}
不过,内联政策也无法解决问题。
But again - the inline policy doesn't fix the issue either.
任何想法或建议将不胜感激!
Any ideas or pointers would be much appreciated!
谢谢-我不了解这项改进。
Thank you - I wasn't aware of this improvment.
这是为ECS关联服务链接角色的正确方法吗?
Is this the correct way to associate the service linked role for ECS?
"ECSServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "CreateServiceLinkedRoleForECS",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:PutRolePolicy",
"iam:UpdateRoleDescription",
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ecs.amazonaws.com"
}
}
}
]
}
}
]
}
}
最终答案
在与AWS进行了数月的间歇性持续问题后,AWS再次表示他们在后台限制我们,在ELB上。这就是为什么在同时通过Cloudformation部署3个以上docker服务时出现随机和多变的问题的原因。解决方案与IAM权限无关,而是通过 AWS服务团队提高ELB的速率限制。
Final Answer
After months of intermittent on-going issues with AWS regarding this matter AWS came back to say they were throttling us in the background, on the ELB. This is why the random and varied issues were appearing when deploying 3+ docker services via Cloudformation at the same time. The solution was nothing to do with IAM permissions, rather it was to increase the rate limit on the ELB via the "AWS Service Team".
推荐答案
因此,解决方法是继续在Cloudformation中使用两种堆栈方法,一种具有IAM角色,然后将其导入服务层堆栈中。解决方法是为服务层脚本中的所有其他堆栈资源在服务定义中添加一个依赖。这样可以为服务导入和执行IAM角色留出足够的时间,因此这是Cloudformation资源创建计时的问题。
So the fix was to continue using the two stack approach in Cloudformation, one with the IAM roles, which in turn were imported into the service layer stack. The fix was to add a depends on in the service definition for all of the other stack resources in the service layer script. By doing this it allows sufficient time for the IAM roles to be imported and executed by the service, thus this was a Cloudformation resource creation timing issue.
"service" : {
"Type" : "AWS::ECS::Service",
"DependsOn" : [
"TaskDefinition",
"EcsElasticLoadBalancer",
"DnsRecord"
],
"Properties" : {
etc...
}
}
这篇关于AWS服务无法承担角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
