ECS CLI - 您无法为需要服务链接角色的服务指定IAM角色

时间:2018-05-25 20:41:02

标签: aws-cli aws-ecs aws-fargate aws-ecr

我试图通过aws cli将容器部署到ECS(Fargate)。我能够成功创建任务定义,当我想向Fargate集群添加新服务时就会出现问题。

这是执行命令:

aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json

这是我得到的错误:

An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`

ECS-service.json 

{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
    "awsvpcConfiguration": {
        "assignPublicIp": "ENABLED",
        "securityGroups": ["sg-06d506f7e444f2faa"],
        "subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
     }
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
    {
        "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:283750935672:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
        "containerName": "dropinfun-spots-service",
        "containerPort": 80
    }
]
}

任务definition.json 

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::283750935672:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "283750935672.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

有关如何管理此链接角色错误的任何想法?

2 个答案:

答案 0 :(得分:4)

由于您正在尝试创建Fargate启动类型任务,因此在任务定义中将网络模式设置为awsvpc模式(Fargate仅支持awsvpc模式)。

在你的ecs-service.json中,我可以看到它有"role": "AWSServiceRoleForECS"。您似乎正在尝试为此服务分配服务角色。 AWS不允许为需要服务链接角色的服务指定IAM角色。

如果您因为要使用负载均衡器而分配了服务IAM角色,则可以将其删除。因为使用awsvpc网络模式的任务定义使用自动为您创建的服务链接角色[1]。

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html#create-service-linked-role

答案 1 :(得分:0)

代替指定"role": "AWSServiceRoleForECS"

如果要为服务(容器)分配特定角色,还可以指定taskRoleArnexecutionRoleArn。如果您希望您的容器代表您访问其他AWS服务,这将非常有用。

task-definition.json 

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"taskRoleArn" : "here_you_can_define_arn_of_a_specific_iam_role"
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

注释:张贴aws account_id是非常不好的做法:“ {

相关问题
最新问题