ECS Fargate任务未应用角色 [英] ECS Fargate task not applying role
问题描述
我正在运行一个ECS Fargate任务,该任务具有附加的角色.该角色具有S3FullAccess策略(以及与ECS服务建立AssumeRole信任的伙伴关系).
I have an ECS Fargate task running that has a role attached to it. This role has the S3FullAccess policy (and AssumeRole trusted partnership with ECS service).
但是,当尝试将对象放入存储桶时,出现拒绝访问"错误.我尝试过启动EC2实例并附加相同的角色,并且可以毫无问题地放入存储桶中.
However when trying to put an object into a bucket, I get Access Denied errors. I have tried booting an EC2 instance and attaching the same role and can put to the bucket without issue.
在我看来,这个角色似乎并未附加到任务上.我缺少重要的一步吗?我无法通过SSH进入实例,因为它是Fargate.
To me it seems like the role is not being attached to the task. Is there an important step I'm missing? I can't SSH into the instance as it's Fargate.
更新: 我提取了在我的本地计算机上设置并使用的AWS_ACCESS_KEY_ID和AWS_SECRET_ACCESS_KEY环境变量.我也遇到了访问被拒绝"问题,对我来说,这意味着我没有为该角色设置任何策略.
UPDATE: I extracted the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables that are set and used them on my local machine. I am getting the Access Denied issues there too, implying (to me) that none of the polices I have set for that role are being applied to the task.
任何可以提供帮助的人都将受到赞赏!
Anyone that can help with anything is appreciated!
解决方法: 一个简单的解决方法是创建具有编程访问权限的IAM用户,并在任务定义中设置AWS_ACCESS_KEY_ID和AWS_SECRET_ACCESS_KEY环境变量.
WORKAROUND: A simple workaround is to create an IAM User with programmatic access and set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables in your task definition.
这可行,但不能解释根本问题.
This works, but does not explain the underlying issue.
推荐答案
我刚刚遇到了类似的问题,我认为这可能是由于您的程序无法访问实例元数据服务公开的角色凭据所致.
I've just had a similar issue and I think it's probably due to your program being unable to access the role's credentials that are exposed by the Instance Metadata service.
具体来说,有一个名为AWS_CONTAINER_CREDENTIALS_RELATIVE_URI的环境变量,其值是AWS开发工具包使用任务角色所需的值. ECS容器代理会在您的任务启动时进行设置,并且会暴露给具有进程ID 1的容器主进程.如果您的程序未按原样运行,则可能看不到env var,因此解释了拒绝访问的原因错误.
Specifically, there's an environment variable called AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and its value is what's needed by the AWS SDKs to use the task role. The ECS Container Agent sets it when your task starts, and it is exposed to the container's main process that has process ID 1. If your program isn't running as such, it might not being seeing the env var and so explaining the access denied error.
根据程序的运行方式,有不同的共享环境变量的方法.
Depending on how your program is running, there'll be different ways to share the env var.
我在ssh登录外壳中遇到了问题(顺便说一句,您可以通过运行sshd来将ssh登录到Fargate任务中),因此我在Docker入口点脚本中插入了以下位置:
I had the issue inside ssh login shells (BTW you can ssh into Fargate tasks by running sshd) so in my Docker entrypoint script I inserted somewhere:
# To share the env var with login shells
echo "export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" >> /root/.profile
在其他情况下,将其添加到Docker入口点脚本中可能会起作用:
In other cases it might work to add to your Docker entrypoint script:
# To export the env var for use by child processes
export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
参考:
- IAM Roles for Tasks - docs explaining the env var relating to the role
- AWS Forum post - where someone explains these workarounds in greater detail
这篇关于ECS Fargate任务未应用角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
