我的目标是通过terraform将docker容器日志发送到CloudWatch。 这是我用于IAM的ECS角色:
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
},
"Effect": "Allow"
}
]
}
这是ECS服务角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"*"
]
}
]
}
在我的docker容器的任务定义中,除此之外我还有这个用于cloudwatch日志记录的内容:
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "awslog-mylogs",
"awslogs-region": "eu-west-1",
"awslogs-stream-prefix": "awslogs-mylogs-stream"
}
}
(我通过AWS控制台预先创建了awslog-mylogs日志组。)
问题是如果我在没有容器的上述日志配置的情况下启动AWS实例(通过Terraform apply),一切正常并且我的容器已启动并运行(当然,日志不会发送到Cloudwatch) 。只要我有这个日志配置信息,EC2实例就会旋转,但容器无法正常启动。在进入EC2实例后,我发现docker容器被救了出来。
知道这里出了什么问题吗?关于通过terraform配置向Cloudwatch发送日志的问题,我可能会遇到什么?
答案 0 :(得分:3)
请问您是否设置了所有权限并在ECS服务角色政策中包含Cloudwatch?
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData",
"ec2:DescribeTags",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutSubscriptionFilter",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
EOF