无法通过CloudFormation创建ECS服务

时间:2017-12-04 14:13:54

标签: amazon-web-services amazon-cloudformation

我创建了以下CloudFormation模板文件来创建ECS Cluster和TaskDefinition,Service但是出现了错误。 这些设置有什么问题?

  1. 使用以下模板创建ECS服务时,获得Please verify that the ECS service role being passed has the proper permissions
  2. 创建没有属性Role: !ImportValue "IAMRoleECSService"的模板时,不会发生错误,但无法从CREATE_IN_PROGRESS完成
    3. ECSApplicationService:
  Type: "AWS::ECS::Service"
  DependsOn:
    - "ECSApplicationCluster"
    - "ECSApplicationTaskDefinition"
  Properties:
    Cluster: !Ref "ECSApplicationCluster"
    DeploymentConfiguration:
      MaximumPercent: 100
      MinimumHealthyPercent: 50
    DesiredCount: 4
    LoadBalancers:
      - ContainerName: !Ref "ContainerAppName"
        ContainerPort: 80
        TargetGroupArn: !ImportValue "ALBTargetGroup"
    Role: !ImportValue "IAMRoleECSService"
    ServiceName: "ecs-application-service"
    TaskDefinition: !Ref "ECSApplicationTaskDefinition"

IAMRoleECSService:
  Type: "AWS::IAM::Role"
  Properties:
    RoleName: "ecs-service"
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Service:
              - "ecs.amazonaws.com"
          Action:
            - "sts:AssumeRole"
    Policies:
      - PolicyName: "ec2-management"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "ec2:AuthorizeSecurityGroupIngress"
                - "ec2:Describe*"
              Resource: "*"
      - PolicyName: "alb-management"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
                - "elasticloadbalancing:DeregisterTargets"
                - "elasticloadbalancing:DescribeTargetGroups"
                - "elasticloadbalancing:DescribeTargetHealth"
                - "elasticloadbalancing:Describe*"
                - "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
                - "elasticloadbalancing:RegisterTargets"
              Resource: "*"

    我该怎么办?

1 个答案:

答案 0 :(得分:5)

<强>更新 自2018年7月19日起,现在可以使用CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html创建IAM服务链接角色。

   EcsServiceLinkedRole:
    Type: "AWS::IAM::ServiceLinkedRole"
    Properties:
      AWSServiceName: "ecs.amazonaws.com"
      Description: "Role to enable Amazon ECS to manage your cluster."

OLD ANSWER: ECS现在依赖于Service-Linked Roles而不是普通角色。确保您使用以下帐户为帐户创建了

aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com

然后从Role中移除IAMRoleECSService参数,因为它不再需要。

相关问题
最新问题