ECS Fargate 任务未应用角色 [英] ECS Fargate task not applying role

问题描述

我有一个 ECS Fargate 任务正在运行，该任务附加了一个角色.此角色具有 S3FullAccess 策略(以及 AssumeRole 与 ECS 服务的可信合作伙伴关系).

I have an ECS Fargate task running that has a role attached to it. This role has the S3FullAccess policy (and AssumeRole trusted partnership with ECS service).

但是，当尝试将对象放入存储桶时，我收到拒绝访问错误.我尝试启动一个 EC2 实例并附加相同的角色，并且可以毫无问题地放入存储桶.

However when trying to put an object into a bucket, I get Access Denied errors. I have tried booting an EC2 instance and attaching the same role and can put to the bucket without issue.

对我来说，这个角色似乎没有被附加到任务中.我错过了重要的一步吗?我无法通过 SSH 连接到实例，因为它是 Fargate.

To me it seems like the role is not being attached to the task. Is there an important step I'm missing? I can't SSH into the instance as it's Fargate.

更新:我提取了 AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY 环境变量，它们在我的本地机器上设置并使用.我在那里也遇到了拒绝访问问题，这意味着(对我而言)我为该角色设置的任何策略都没有应用于该任务.

UPDATE: I extracted the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables that are set and used them on my local machine. I am getting the Access Denied issues there too, implying (to me) that none of the polices I have set for that role are being applied to the task.

任何可以帮助解决任何问题的人都值得感谢！

Anyone that can help with anything is appreciated!

解决方法:一个简单的解决方法是创建一个具有编程访问权限的 IAM 用户，并在您的任务定义中设置 AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY 环境变量.

WORKAROUND: A simple workaround is to create an IAM User with programmatic access and set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables in your task definition.

这行得通，但不能解释根本问题.

This works, but does not explain the underlying issue.

推荐答案

我刚刚遇到了类似的问题，我认为这可能是由于您的程序无法访问由实例元数据服务公开的角色凭据.

I've just had a similar issue and I think it's probably due to your program being unable to access the role's credentials that are exposed by the Instance Metadata service.

具体来说，有一个名为 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI 的环境变量，它的值是 AWS 开发工具包使用任务角色所需的值.ECS 容器代理在您的任务启动时设置它，并将其暴露给具有进程 ID 1 的容器的主进程.如果您的程序没有这样运行，它可能看不到 env var，因此解释了访问被拒绝错误.

Specifically, there's an environment variable called AWS_CONTAINER_CREDENTIALS_RELATIVE_URI and its value is what's needed by the AWS SDKs to use the task role. The ECS Container Agent sets it when your task starts, and it is exposed to the container's main process that has process ID 1. If your program isn't running as such, it might not being seeing the env var and so explaining the access denied error.

根据您的程序运行方式，共享环境变量的方式会有所不同.

Depending on how your program is running, there'll be different ways to share the env var.

我在 ssh 登录 shell 中遇到了问题(顺便说一句，您可以通过运行 sshd ssh 进入 Fargate 任务)，所以在我的 Docker 入口点脚本中，我插入了某处:

I had the issue inside ssh login shells (BTW you can ssh into Fargate tasks by running sshd) so in my Docker entrypoint script I inserted somewhere:

# To share the env var with login shells
echo "export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" >> /root/.profile

在其他情况下，添加到您的 Docker 入口点脚本可能会起作用:

In other cases it might work to add to your Docker entrypoint script:

# To export the env var for use by child processes
export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

参考:

• 任务的 IAM 角色 - docs解释与角色相关的环境变量
• AWS 论坛帖子 - 有人在其中解释了这些解决方法更详细的

• IAM Roles for Tasks - docs explaining the env var relating to the role
• AWS Forum post - where someone explains these workarounds in greater detail

这篇关于ECS Fargate 任务未应用角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！