我正在为使用FastAPI进行API设计的项目构建以下基础结构。这里有两个微服务:/ user / *和/ admin / *,用于读取和更新DynamoDB中存储的数据。
设置如下:我有一个具有2个可用区的VPC,每个可用区都托管一个公共子网和一个专用子网。每个公用子网在同一可用区中都有一个专用子网的NAT网关。 Internet网关已连接到VPC。已创建DynamoDB的VPC端点。 ECS群集是使用Fargate作为启动类型创建的,并且该服务在两个专用子网中运行。
CloudFormation模板已构建,但API请求返回内部服务器错误。我相信问题是容器没有对DynamoDB表的正确访问。
以下是我创建并附加到ECS容器(ECSTaskExecutionRole)的IAM角色:
ECSTaskExecutionRole:
Type: AWS::IAM::Role
# Role for ECS task
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs-tasks.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: AmznECSTaskExecutionRolePolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
# ECS tasks to download images from ECR
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
# ECS tasks to upload logs to CloudWatch
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
# ECS tasks to use DynamoDB
- dynamodb:Batch*
- dynamodb:Delete*
- dynamodb:DescribeTable
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:Update*
Resource: '*'
以下是DynamoDB的VPC端点:
DynamoDBVpcEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${AWS::Region}.dynamodb"
VpcEndpointType: Gateway
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: '*'
Principal: '*'
Resource: '*'
RouteTableIds:
- !Ref VPCPrivateRouteTable1
- !Ref VPCPrivateRouteTable2
我还确保专用子网的路由表包含一对DynamoDB端点。
任何帮助将不胜感激!谢谢。