Terraform 定义的任务角色对于 ECS 计划任务无法正常工作 [英] Task role defined by Terraform not working correctly for ECS scheduled task

查看:23
本文介绍了Terraform 定义的任务角色对于 ECS 计划任务无法正常工作的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们的团队有一堆 cron 作业作为 ECS 计划任务运行.最近我添加了一个需要使用 dynamodb 的新工作,所以我在我们的 terraform 文件中添加了权限,但不断出现权限失败:

Our team has a bunch of cron jobs running as an ECS scheduled task. Lately I'm adding a new job that requires the use of dynamodb, so I added the permissions in our terraform files, but keep on getting permission failure:

com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException:
User: arn:aws:sts::87********23:assumed-role/tcoe-tableau/74a408106bf543ee95dbe4841d00b0f7 is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics (Service: AmazonDynamoDBv2;
Status Code: 400; Error Code: AccessDeniedException; Request ID: H52U8GCS1JAB74OJ6VSSEFLCQNVV4KQNSO5AEMVJF66Q9ASUAAJG; Proxy: null)

我的相关terraform如下:

My related terraform are as follows:

首先,这里是 ecs 集群和任务定义:

First, here are the ecs cluster and task definition:

resource "aws_ecs_cluster" "ecs-cluster" {
  name = "${var.stack_id}"
  tags {
    StackId = "${var.stack_id}"
  }
  lifecycle {
    ignore_changes = [
      "tags"
    ]
  }
}

resource "aws_ecs_task_definition" "task-definition" {
  family                   = "${var.stack_id}"
  network_mode             = "awsvpc"
  requires_compatibilities = [
    "FARGATE"
  ]
  cpu                      = "${var.cpu}"
  memory                   = "${var.task_memory}"
  task_role_arn            = "${aws_iam_role.task_role.arn}"
  execution_role_arn       = "${aws_iam_role.ecs_task_execution_role.arn}"
  container_definitions    = <<EOF
[
  {
    "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "${var.log_group}",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "${var.stack_id}"
        }
    },
    "ulimits": [
      {
        "name": "nofile",
        "softLimit": 4096,
        "hardLimit": 8192
      }
    ],
    "image": "${var.ecr_account}.dkr.ecr.us-east-1.amazonaws.com/${var.ecr_namespace}/${var.stack_id}:latest",
    "environment": [
      {"name": "ENV", "value": "${var.environment}" }
    ],
    "essential": true,
    "privileged": false,
    "name": "${var.stack_id}",
    "memory": ${var.memory}
  }
]
EOF

  tags {
    StackId = "${var.stack_id}"
  }
}

那么这里是任务定义的任务角色:

Then here's the task role for the task definition:

resource "aws_iam_role" "task_role" {
  name = "${var.stack_id}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        ${data.aws_caller_identity.current.account_id == var.dev_account ? ""AWS": ["arn:aws:iam::61********19:role/${var.dev_role_name}"]," : ""}
        "Service": ["ecs-tasks.amazonaws.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "task_role_profile" {
  name = "${var.stack_id}"
  role = "${aws_iam_role.task_role.name}"
}

最后在这里我将与 dynamodb 相关的策略添加到任务角色中:

Finally here I'm adding the dynamodb-related policy to the task role:

resource "aws_iam_role_policy" "main" {
  name = "${var.stack_id}-extra-policy"
  role = "${aws_iam_role.task_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:Scan",
        "dynamodb:Query",
        "dynamodb:List*",
        "dynamodb:Get*",
        "dynamodb:Describe*",
        "dynamodb:DeleteItem",
        "dynamodb:Put*",
        "dynamodb:UpdateItem",
        "dynamodb:BatchWriteItem"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics",
        "arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics/index/*"
      ]
    }
  ]
}
EOF
}

我在这里做错了什么还是遗漏了什么?

Am I doing something wrong here or missing anything?

推荐答案

我以为我的失败是由于使用了role.id而不是role.name,我想弄清楚id和name的区别,所以我发布了这个问题 aws iam 角色 IDvs terraform 中的角色名称,什么时候使用?,然后答案/评论表明完全一样,这促使我回去仔细检查我的提交历史和构建历史,我意识到原因 role.id 不起作用是由于我犯了一些人为错误.我的新代码有效不是因为我使用了 role.name,而是因为我在不知不觉中同时修复了另一个错误.

I thought my failure was due to using role.id instead of role.name, and I wanted to figure out the differences between id and name, so I posted this question aws iam role id vs role name in terraform, when to use which?, then the answer/comment indicated that that are exactly the same, which prompted me to go back and carefully check my commit history and build history, and I realized that the reason role.id didn't work was due to some human error I made. My new codes worked not because I used role.name, but because i unknowingly fixed the other error at the same time.

总而言之,role.id 和 role.name 是完全一样的.

To summarize, role.id and role.name are exactly the same.

这篇关于Terraform 定义的任务角色对于 ECS 计划任务无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆