以下是EC2实例承担的角色:
"AScaleLaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties":{
…..
"IamInstanceProfile": { "Ref": "EC2InstProfl” },
…..
}
}
"EC2InstProfl": {
"Type": "AWS::IAM::InstanceProfile",
"Properties":{
"Path": "/",
"Roles": [ { "Ref": "EC2InstRole" } ]
}
}
"EC2InstRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "ec2.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"Path": "/",
"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" ],
}
}
以下是分配给在该EC2实例中运行的任务(码头集装箱)的SomeTaskRole:
"EcsTaskDef": {
"Type": "AWS::ECS::TaskDefinition",
"Properties":{
"NetworkMode": "host",
"TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole",
"ContainerDefinitions": [
{
"Name": “someapp",
"Image": “someaccout/someimage:test",
}
]
}
}
其中SomeTaskRole是:
{
"Version": "2012-10-17",
"Statement": [
{
"Description": “Allow access to all EC2/ELB/cloudformation/s3 and aim passrole",
…..
"Resource": "*"
},
{
"Description": “Assume iam User role“,
…..
"Effect": "Allow"
},
{
"Description": “Assume xyz role across all accouts“,
…..
"Effect": "Allow"
},
{
"Description": “Allow * access to all resource across n regions",
….
},
{
"Description": “Deny delete permission on network related resources like Subnets/Route/VPC/VPN/IGW etc…*,
….
},
{
"Description": “There are many such rules",
….
}
]
}
如果将EC2InstRole分配给EC2实例,则Cloudformation堆栈将成功启动。
如果将SomeTaskRole分配给EcsTaskDef ,并且 EC2InstRole分配给EC2实例,则Cloudformation堆栈启动将挂起数小时,并且出错。尚未找到确切的错误。如果删除"TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole",则CloudFormation堆栈将成功启动。
1)
AWS IAM服务同时允许两者吗?
为ECS任务分配角色
和
要为EC2实例分配角色?
2)
如果是,则EC2角色中指定的规则是否重叠(并覆盖)ECS任务角色中指定的规则?
答案 0 :(得分:2)
ECS任务仅获得分配给该任务的角色/权限。它没有主机的权限。
当您看到CloudFormation像这样“挂起”时,很可能是因为任务从未达到稳定状态。解决问题的最简单方法是查看ECS中失败的任务。为此,请打开ECS群集,选择“任务”选项卡并显示“已停止的任务”。打开一个并查看底部的折叠信息。那里经常有一些非常有用的信息。