我正在尝试让Prometheus的CloudWatch Exporter作为Fargate任务运行。我正在建立一个基于prom/cloudwatch-exporter映像的配置文件来构建自定义映像。
当容器出现时,我在日志中看到以下错误:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:访问被拒绝(服务:AWSSecurityTokenService;状态代码:403;错误代码:AccessDenied;请求ID:REQUEST-ID)
产生该错误的呼叫似乎是这样的:
在com.amazonaws.services.cloudwatch.AmazonCloudWatchClient.listMetrics(AmazonCloudWatchClient.java:684)
任务执行角色和任务角色都具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
这是容器定义:
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "LOG-GROUP",
"awslogs-region": "REGION",
"awslogs-stream-prefix": "LOG-PREFIX"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 9106,
"protocol": "tcp",
"containerPort": 9106
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"image": "ACCOUNTID.dkr.ecr.REGION.amazonaws.com/mycustomimage:latest",
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "container-name"
}
为什么容器不基于IAM策略进行身份验证?安装程序中的所有其他策略似乎都按预期运行。集群可以从ECR存储库中提取自定义映像,正在写入日志等。
答案 0 :(得分:0)
我知道了。 CloudWatch Exporter允许您通过config属性role_arn传递IAM角色arn。如果设置了此值,则应用程序将使用STSAssumeRoleSessionCredentialsProvider来建立凭据。 Fargate显然不支持此功能(此方法在基于EC2的ECS容器中有效)。如果您不使用role_arn,则应用程序会使用默认设置创建一个新客户端,该客户端使用DefaultAWSCredentialsProviderChain类,这就像一个超级按钮。