我是第一次使用AWS ECS服务,并且遇到了一些权限问题。我正在使用terraform创建任务定义和服务定义。
我的任务定义json配置:
[
{
"dnsSearchDomains": null,
"logConfiguration": null,
"portMappings": [
{
"containerPort": 80,
"hostPort": 0,
"protocol": "tcp"
}
],
"entryPoint": [
"httpd",
"-DFOREGROUND"
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": [
...my_secrets..
],
"dockerSecurityOptions": null,
"memory": 350,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "${api_image}",
"startTimeout": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "myApp"
}
]
我为任务定义iam_role.tf创建的IAM角色:
resource "aws_iam_role" "api" {
name = "api-${var.environment}"
assume_role_policy = "${file("../../policies/iam_ecs_role.json")}"
tags = {
terraform = true
}
}
# Attach SSM read only policy to read from param store.
resource "aws_iam_role_policy_attachment" "attach-ssm" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess"
}
# Attach policy to allow read and push from ECR.
resource "aws_iam_role_policy_attachment" "attach-ecs-task" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}
# Attach policy to allow access to KSM to decrypt ssm values.
resource "aws_iam_role_policy_attachment" "attach-ksm" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser"
}
resource "aws_iam_role_policy_attachment" "attach-admin" {
role = "${aws_iam_role.api.name}"
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
以及先前角色资源中的策略json文件:
{
"Version": "2008-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ecs.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Effect": "Allow"
}
]
}
我遇到的问题是,当我启动将服务部署到群集时,在任务中出现以下错误:
CannotPullContainerError:来自守护程序的错误响应:xxxxxxxxx.xxx.ecr.us-east-1.amazonaws.com/my-image的拉式访问被拒绝,存储库不存在或可能需要“ docker登录”
我似乎无法弄清楚为什么任务无法从ecr中提取。启动容器的实例存在于公共子网中,并且具有公共ip,因此它肯定可以访问Internet。我在这里想念什么?
答案 0 :(得分:0)
您应该在ECS Task Execution IAM Role
中获得ECR的许可。
这是任务执行角色的示例策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
请参阅:
这里是AWS Document关于ecs任务执行角色