我正在尝试使用ECS自动化基础架构和应用程序部署。部署逻辑相当复杂,并且随着时间的流逝可能会变得更加复杂,因此我选择使用Node.js来处理业务流程。部署中的某些步骤要求我在容器中执行另一个二进制文件,特别是terraform。问题是由Node.js创建的子进程似乎没有与Node.js进程相同的权限。
一些详细信息
terraform尝试调用AWS api时,产生以下错误“ NoCredentialProviders:链中没有有效的提供程序。已弃用。” 解决了一段时间后,我非常有信心这个问题与任务角色没有移交给子进程有关。可以这样做吗?如果可以,怎么办?
如果有帮助,以下是经过修改的Terraform脚本,以ECS设置进行说明。主要区别是任务角色在我正在使用的任务角色中具有更多权限。
resource "aws_ecs_task_definition" "deploy" {
family = "deploy-task"
container_definitions = <<EOF
[
{
"name": "deploy",
"image": "<ecr image uri>:latest",
"essential": true,
"memoryReservation": 128,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/deploy-task",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
}
}
]
EOF
task_role_arn = "${aws_iam_role.task.arn}"
execution_role_arn = "${aws_iam_role.execution.arn}"
network_mode = "awsvpc"
cpu = 256
memory = 512
requires_compatibilities = ["FARGATE"]
}
resource "aws_ecs_cluster" "deploy" {
name = "deploy-cluster"
}
resource "aws_iam_role" "task" {
name = "ecs-deploy-task"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy" "s3-policy" {
name = "s3-policy"
role = "${aws_iam_role.task.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "<private s3 bucket>/*"
}
]
}
EOF
}
resource "aws_iam_role" "execution" {
name = "ecs-deploy-execution"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Effect": "Allow"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "execution" {
role = "${aws_iam_role.execution.id}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}