AWS CredentialProviders无法在Fargate中检索凭证

时间:2020-10-09 19:52:46

标签: amazon-web-services aws-sdk amazon-iam aws-fargate

我正在使用SecretsManager的AWS Fargate中运行SpringBoot应用程序。这是我作为凭证提供程序提供给AWS开发工具包的内容:

public class ProfiledCredentialsProvider extends AWSCredentialsProviderChain {

    public ProfiledCredentialsProvider(@Nullable final String profile) {
        super(new DefaultAWSCredentialsProviderChain(), new EC2ContainerCredentialsProviderWrapper(),
                new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(),
                StringUtils.isBlank(profile) ? new ProfileCredentialsProvider()
                        : new ProfileCredentialsProvider(profile));
        this.setReuseLastProvider(true);
    }

}

,这使我可以使用备用AWS配置文件在本地运行此应用程序。但是,当我在Fargate中运行此应用程序时,会得到以下堆栈跟踪:

com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [com.amazonaws.auth.DefaultAWSCredentialsProviderChain@3439f68d: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@1cab0bfb: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@140e5a13: Failed to connect to service endpoint: ], com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@dbd940d: Failed to connect to service endpoint: , EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@71d15f18: profile file cannot be null]
    at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.doInvoke(AWSSecretsManagerClient.java:2634) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2601) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2590) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.executeGetSecretValue(AWSSecretsManagerClient.java:1213) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.getSecretValue(AWSSecretsManagerClient.java:1184) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]

这是我的task-definition.json的摘录:

{
  "family": "transfer-services-api",
  "executionRoleArn": "arn:aws:iam::************:role/ecs-task-execution-role"  
  "requiresCompatibilities": [
    "FARGATE"
  ]
}

在“信任关系”中与此:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

和附加的策略AmazonECSTaskExecutionRolePolicy(未设置权限边界)。 谢谢您的帮助。

1 个答案:

答案 0 :(得分:1)

您需要分配任务角色。执行角色是使ECS访问诸如ECR和SecretsManager之类的资源的权限,以便执行ECS任务。任务角色是赋予您任务的代码对其他AWS资源的访问权限的角色。请参阅文档here

相关问题
最新问题