Amazon ECS-在Docker入口点上使用IAM角色时权限被拒绝 [英] Amazon ECS - Permission denied when using IAM role on Docker entrypoint
问题描述
我正在寻找一种将机密/证书注入Amazon ECS容器的方法.就我而言,这是一个简单的nginx容器.
I'm looking for a way to inject secrets/certificates into Amazon ECS containers. In my case, it's a simple nginx container.
我一直在使用AWS Parameter Store关注此帖子: https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/
I've been following this post, using AWS Parameter Store: https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/
以下是基本要点:
- 在我的Dockerfile上,我在 entrypoint 上附加了一个脚本,该脚本用于安装AWS客户端并从AWS参数存储中获取密钥.
- On my Dockerfile, I attach a script on entrypoint which installs the AWS client and fetches the keys from AWS parameter store.
Dockerfile
FROM nginx:1.16.0
...
ENTRYPOINT ["/var/run/fetch.sh", "nginx", "-g", "daemon off;"]
fetch.sh
aws ssm get-parameter \
--name ${key} \
--with-decryption \
--region us-east-1 \
--output text \
--query Parameter.Value
- 任务定义假设一个IAM角色可以访问所需的服务(kms +参数存储).我可以验证此方法是否有效,因为如果我通过SSH进入服务器并在容器上运行脚本,便能够从参数存储中获取密钥.
{
"portMappings": [
{
"hostPort": 0,
"protocol": "tcp",
"containerPort": 443
}
],
"cpu": 0,
"environment": [],
"mountPoints": [],
"memoryReservation": 256,
"memory": 512,
"volumesFrom": [],
"image": "url/some_image:latest",
"essential": true,
"name": "my-container"
}
- ECS运行此任务时,应点击入口点,该入口将从参数存储中获取密钥并保存.
- When ECS runs this task, it should hit the entrypoint which fetches the keys from parameter store and saves them.
我可以通过docker exec手动运行它来获取正在运行的任务上的键,但是启动任务时我无法获取它们(特别是当我将脚本附加到入口点上时,如上面的代码所示).
I'm able to fetch the keys on a running task by running it manually via docker exec, but I'm unable to fetch them when starting a task (specifically when I attach the script on the entrypoint as on code above).
ECS任务是否可以在入口点访问IAM角色?它什么时候真正承担IAM角色?
Does an ECS task have access to IAM roles at the entrypoint? When does it actually assume IAM roles?
推荐答案
现在,您可以使用 containerDefinitions 中的 secrets 轻松地从SSM或Secrets Manager注入机密.任务定义.使用此解决方案,您不必再运行/管理自定义脚本即可获取秘密.
You can now easily inject secrets from SSM or Secrets Manager using the secrets in the containerDefinitions of a task definition. With this solution, you don't have to run/manage your custom scripts to fetch your secrets anymore.
它看起来像这样:
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
}]
}]
}
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
}]
}]
}
看看您必须具有任务执行角色,并在任务定义中引用它.政策示例:
You must have a task execution role and reference it in your task definition. Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}
这篇关于Amazon ECS-在Docker入口点上使用IAM角色时权限被拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
