我(AWS新手)正在玩AWS CDK。 我想构建一个以dynamodb作为数据库,在fargate中运行的简单Spring服务。 似乎我的服务由于缺少某些权限而无法访问发电机。 在Cloudwatch日志中,我看到以下错误消息:
com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: User: arn:aws:sts::xxxxxxxxxx:assumed-role/MyCdkAppStack-TaskDefTaskRole1EDB4A67-xxxxxxxx/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:eu-central-1:xxxxxxxxxxx:table/MyDynamoDbTable (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: XXXXX)
对于表的权限,我认为应该将足够的权限授予fargate服务的任务角色:
props.dependencies.dynamoDb.grantReadWriteData(taskDefinition.taskRole);
在AWS控制台中,权限似乎应该存在:当我转到相应的任务时,相应的角色似乎拥有所有权限。
虽然它不起作用,所以很明显我丢失了某些东西或做错了什么。 关于如何在cdk应用程序中将Fargate服务与dynamo db表连接的任何提示?
谢谢,一些技巧将不胜感激:)
编辑:对不起,延迟... 堆栈:
export class MyCdkAppStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props: MyCdkAppStackProps) {
super(scope, id, props);
const appId = 'myService';
const table = new Table(this, 'MyDynamoDbTable', {
tableName: 'MyDynamoDbTable',
partitionKey: {name: 'Id', type: AttributeType.STRING},
billingMode: BillingMode.PAY_PER_REQUEST,
removalPolicy: RemovalPolicy.DESTROY
});
let logDriver = new AwsLogDriver({
logRetention: RetentionDays.ONE_WEEK,
streamPrefix: "test-stream-prefix",
});
const vpc = new Vpc(this, 'cdk-my-vpc', {maxAzs: 2});
new cdk.CfnOutput(this, "MyVpc", {value: vpc.vpcId});
const cluster = new Cluster(this, "MyCluster", {
vpc: vpc,
clusterName: appId
});
const appImage = ContainerImage.fromEcrRepository(props.dependencies.appRepo, 'latest');
const applicationLoadBalancedFargateService = new ApplicationLoadBalancedFargateService(this, "FargateService", {
cluster: cluster,
taskImageOptions: {
image: appImage,
containerPort: 8080,
logDriver: logDriver
},
});
table.grantReadWriteData(applicationLoadBalancedFargateService.taskDefinition.taskRole);
}
}
cdk合成后的任务角色策略:
"FargateServiceTaskDefTaskRoleDefaultPolicy63F83D6F": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"MyDynamoDbTableC81ED735",
"Arn"
]
},
{
"Ref": "AWS::NoValue"
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "FargateServiceTaskDefTaskRoleDefaultPolicy63F83D6F",
"Roles": [
{
"Ref": "FargateServiceTaskDefTaskRole8CDCF85E"
}
]
}