我正在尝试设置ECS服务,该服务将与MySQL和Web服务器一起运行单个任务。我想从SSM Parameter Store中注入一些运行时参数作为环境变量。其中一些将是纯文本,而另一些将使用KMS进行加密。因此,假设我有以下任务定义:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/wordpress-test",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"memoryReservation": 512,
"name": "wordpress"
},
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/wordpress-test",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
},
"secrets": [
{
"valueFrom": "arn:aws:ssm:eu-central-1:657433956652:parameter/project/dev/db.connection.default.password",
"name": "MYSQL_ROOT_PASSWORD"
}
],
"memoryReservation": 512,
"name": "mysql"
}
],
"placementConstraints": [],
"memory": "1024",
"taskRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
"compatibilities": [
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:eu-central-1:657433956652:task-definition/wordpress-test:1",
"family": "wordpress-test",
"networkMode": "awsvpc",
"cpu": "512",
}
问题是:哪个角色应该有权访问读取SSM Parameter Store和用于加密SecureString的参数的密钥?实际上是动态创建服务的是Service,Cluster甚至是Pipeline?
答案 0 :(得分:0)
您的ecsTaskExecutionRole应该有权访问SSM参数。
创建一个内联策略,并将该策略附加到arn:aws:iam::657433956652:role/ecsTaskExecutionRole
从文档样本中,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}