我正在尝试部署运行ecs-agent的EC2实例。此类EC2实例由与特定角色关联的实例配置文件授予一些权限。
当ecs-agent运行并尝试在ECS群集中注册自身时,它会失败:
2017-11-23T10:24:09Z [INFO] Starting Agent: Amazon ECS Agent - v1.14.0 (f88e52e)
2017-11-23T10:24:09Z [INFO] Loading configuration
2017-11-23T10:24:09Z [DEBUG] Environment variable empty:
ECS_CONTAINER_STOP_TIMEOUT
2017-11-23T10:24:09Z [DEBUG] Environment variable empty:
ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION
2017-11-23T10:24:09Z [DEBUG] Environment variable empty:
ECS_IMAGE_MINIMUM_CLEANUP_AGE
2017-11-23T10:24:09Z [DEBUG] Environment variable empty:
ECS_IMAGE_CLEANUP_INTERVAL
2017-11-23T10:24:09Z [DEBUG] Loaded config: Cluster: instanceprofiletest-EcsCluster-1NA2C3753PUSZ, Region: eu-west-1, DataDir: /data,
Checkpoint: true, AuthType: , UpdatesEnabled: true, DisableMetrics: false, ReservedMem: 0, TaskCleanupWaitDuration: 3h0m0s, DockerStopTimeout: 30s
2017-11-23T10:24:09Z [INFO] Checkpointing is enabled. Attempting to load state
2017-11-23T10:24:09Z [INFO] Loading state! module="statemanager"
2017-11-23T10:24:09Z [INFO] Event stream ContainerChange start listening...
2017-11-23T10:24:09Z [INFO] Detected Docker versions [1.17 1.18 1.19 1.20 1.21 1.22 1.23]
2017-11-23T10:24:09Z [WARN] Error getting valid credentials (AKID ): NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
2017-11-23T10:24:09Z [INFO] Registering Instance with ECS
2017-11-23T10:24:09Z [ERROR] Could not register: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
2017-11-23T10:24:09Z [ERROR] Error registering: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
我试图定义一个最小的Cloudformation堆栈来帮助我解决问题。
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation template to provision the BATS RabbitMQ resources",
"Parameters": {
"KeyName": {
"Type": "String",
"Description": "The Key name"
},
"VpcId": {
"Type": "String",
"Description": "The VPC id"
},
"SubnetId": {
"Type": "String",
"Description": "The subnet id"
},
"AllowedSshCidr": {
"Type": "String",
"Description": "CIDR/IP range to allow SSH access"
}
},
"Resources": {
"EcsCluster": {
"Type": "AWS::ECS::Cluster"
},
"ClientSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group containing the RabbitMQ client applications",
"VpcId": { "Ref": "VpcId" }
}
},
"EcsSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "ECS Allowed Ports",
"VpcId": { "Ref": "VpcId" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": {
"Ref": "AllowedSshCidr"
}
}
]
}
},
"EcsInstanceRole": {
"Type": "AWS::IAM::Role",
"Description": "The role for managing ECS instances",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "ECS-permissions",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "2",
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*"
],
"Resource": "*"
},{
"Sid": "3",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
},{
"Sid": "4",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*"
}
]
}
}
]
}
},
"EcsInstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Description": "The InstanceProfile using ECSInstanceRole to manage the EcsInstance",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "EcsInstanceRole" } ]
}
},
"EcsInstance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-48f9a52e",
"InstanceType": "t2.micro",
"IamInstanceProfile": { "Ref": "EcsInstanceProfile" },
"KeyName": { "Ref": "KeyName" },
"SecurityGroupIds": [
{
"Fn::GetAtt": [
"EcsSecurityGroup",
"GroupId"
]
}
],
"SubnetId": { "Ref": "SubnetId" },
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"#!/bin/bash\n",
"echo ECS_CLUSTER=",
{
"Ref": "EcsCluster"
},
" >> /etc/ecs/ecs.config\n",
"echo ECS_LOGLEVEL=debug >> /etc/ecs/ecs.config\n",
"n=0 \n",
"try=3 \n",
"until [[ $n -ge $try ]] \n",
"do \n",
" docker start ecs-agent && break || { \n",
" echo \"ECS Agent Failed..\" \n",
" ((n++)) \n",
" sleep 4 \n",
" sudo /etc/init.d/docker restart \n",
" } \n",
"done \n"
]
]
}
}
}
},
"ElasticIp": {
"Type" : "AWS::EC2::EIP",
"Properties" : {
"Domain" : "vpc"
}
},
"EIPAssociation": {
"Type": "AWS::EC2::EIPAssociation",
"Properties": {
"InstanceId": {
"Ref": "EcsInstance"
},
"EIP": { "Ref": "ElasticIp" }
}
}
},
"Outputs": {
}
}
我通过运行来部署它:
aws cloudformation create-stack --stack-name instanceprofiletest --templatebody instanceprofiletest.json --parameters ParameterKey=KeyName,ParameterName=[my-key] ParameterKey=SubnetId,ParameterValue=[my-subnet] ParameterKey=VpcId,ParameterValue=[my-vpc] ParameterKey=AllowedSshCidr,ParameterValue=[my-ip]/32
堆栈已成功部署,但ecs-agent容器无法启动,/var/log/ecs/ecs-agent.log显示上面的NoCredentialProviders。
不幸的是,我无法检查授予实例配置文件的权限。我只能得到它的名字:
[ec2-user@ip-10-0-0-104 ~]$ curl http://169.254.169.254/latest/meta-data/iam/info
{
"Code" : "Success",
"LastUpdated" : "2017-11-23T14:45:26Z",
"InstanceProfileArn" : "arn:aws:iam::463142558018:instance-profile/instanceprofiletest-EcsInstanceProfile-XXXXXXX",
"InstanceProfileId" : "AIPAXXXXXXX"
}
感谢任何帮助。
答案 0 :(得分:2)
这个问题是一个错字。
EcsInstanceRole的第一个声明是“ ecs .amazonaws.com”而不是“ ec2 .amazonaws.com”。