Question

我在Cloudformation模板中具有以下代码，用于为需要从我的ECR注册表中提取映像的任务定义角色和策略：

  TaskDefinition:
    Type: 'AWS::ECS::TaskDefinition'
    DependsOn:
      - TaskPolicy0
    Properties:
      Family: !Sub '${EcsTaskDefFamily}'
      TaskRoleArn: !Ref EcsTaskRole
      ContainerDefinitions:
        - Name: !Ref NodeContName
          Essential: 'true'
          Image: !Ref ImageFullName     ### PULLED IMAGE
          Memory: !Ref ContainerMemory
          MemoryReservation: !Ref ContainerMemoryReservation
          PortMappings:
            - ContainerPort: !Ref NodeContainerPort
              HostPort: !Ref NodeHostPort
              Protocol: tcp
  EcsTaskRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: !Ref EcsTaskRolePath
  TaskPolicy0:
    Type: 'AWS::IAM::Policy'
    Properties:
      PolicyName: ecr-readonly
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - 'ecr:GetAuthorizationToken'
              - 'ecr:BatchCheckLayerAvailability'
              - 'ecr:GetDownloadUrlForLayer'
              - 'ecr:GetRepositoryPolicy'
              - 'ecr:DescribeRepositories'
              - 'ecr:ListImages'
              - 'ecr:DescribeImages'
              - 'ecr:BatchGetImage'
            Resource: '*'
      Roles:
        - !Ref EcsTaskRole

但是当我运行Cloudformation模板时，出现以下错误：

那是什么？我已经定义了信任策略。我没有为Cloudformation定义IAM角色，但是我正在从具有以下权限的管理员帐户运行此模板：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

编辑

当我将EcsTaskRolePath从“ ecs / services / tasks /”更改为“ /”（管理员用户具有的用于创建堆栈的相同路径）时，错误消失了，一切都很好。问题是什么？有人可以给我一些有关此IAM路径的信息，因为我发现的只是文档上的一页？

担任任务角色的ECS错误

0 个答案: