ECS服务使用ALB的权限问题

时间:2018-03-01 16:00:49

标签: amazon-cloudformation amazon-iam amazon-ecs

我正在尝试使用cloudformation在ALB上部署ECS堆栈,并且在创建服务时出现错误,这似乎是缺少访问负载均衡器的权限。

以下是错误:Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.

这是服务定义:

    "EcsService": {
      "Type":"AWS::ECS::Service",
      "DependsOn": [
        "loadBalancer",
        "EcsServiceRole"
      ],
      "Properties":{
        "Cluster":{
          "Ref": "EcsCluster"
        },
        "DesiredCount":"1",
        "DeploymentConfiguration":{
          "MaximumPercent":100,
          "MinimumHealthyPercent":0
        },
        "LoadBalancers": [
          {
            "ContainerName": "test-web",
            "ContainerPort": "80",
            "TargetGroupArn" : {
              "Ref": "loadBalancer"
            },
          }
        ],
        "Role":{
          "Ref": "EcsServiceRole"
        },
        "TaskDefinition":{
          "Ref": "runWebServerTaskDefinition"
        }
      }
    }

以下是负载均衡器定义:

    "loadBalancer" : {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Name": "testalb",
        "Scheme" : "internal",
        "Subnets" : [
          "subnet-b8217295",
          "subnet-ddaad2b8",
          "subnet-6d71fb51"
        ],
        "LoadBalancerAttributes" : [
          { "Key" : "idle_timeout.timeout_seconds", "Value" : "50" }
        ],
        "SecurityGroups": [
          { "Ref": "InstanceSecurityGroupOpenWeb" },
          { "Ref" : "InstanceSecurityGroupOpenFull" }
        ],
        "Tags" : [
          { "Key" : "key", "Value" : "value" },
          { "Key" : "key2", "Value" : "value2" }
        ]
      }
    }

以下是服务应使用的IAM角色:

    "EcsServiceRole": {
      "Type":"AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement":[
            {
              "Effect":"Allow",
              "Principal":{
                "Service":[
                  "ecs.amazonaws.com"
                ]
              },
              "Action":[
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path":"/",
        "Policies":[
          {
            "PolicyName":"ecs-service",
            "PolicyDocument":{
              "Statement":[
                {
                  "Effect":"Allow",
                  "Action":[
                    "elasticloadbalancing:*",
                    "ec2:*"
                  ],
                  "Resource":"*"
                }
              ]
            }
          }
        ]
      }
    }

我在IAM中找不到ALB的特定命名空间。 你有什么想法吗?

2 个答案:

答案 0 :(得分:1)

TargetGroupArn应该指向TargetGroup ARN,而不是ALB ARN。目前,它指向Load Balancer ARN。 

          "TargetGroupArn" : {
              "Ref": "loadBalancer"
            },

答案 1 :(得分:0)

<强>更新 自2018年7月19日起,现在可以使用CloudFormation InferenceContext创建IAM服务链接角色。

   EcsServiceLinkedRole:
    Type: "AWS::IAM::ServiceLinkedRole"
    Properties:
      AWSServiceName: "ecs.amazonaws.com"
      Description: "Role to enable Amazon ECS to manage your cluster."

OLD ANSWER: 自AWS引入call_cpp_shape_fn以来,我不再为AWS::ECS::Service指定角色。它将默认为具有所有必要权限的服务链接角色。

相关问题
最新问题