我使用terraform部署带有Fargate的容器。
我遇到一个错误:
error: Error creating IAM Role ecs_task_execution_role: MalformedPolicyDocument: Has prohibited field Resource status code: 400, request id: 351d657b-32ef-4ffa-a1e8-bee912e5c788 on ecs.tf line 74, in resource "aws_iam_role" "ecs_execution_role": 74: resource "aws_iam_role" "ecs_execution_role" {
我的Terraform设置:
resource "aws_ecs_task_definition" "nginx" {
family = "nginx-${var.app}"
network_mode = "awsvpc"
requires_compatibilities = ["FARGATE"]
cpu = "256"
memory = "512"
execution_role_arn = "${aws_iam_role.ecs_execution_role.arn}"
task_role_arn = "${aws_iam_role.ecs_execution_role.arn}"
container_definitions = <<DEFINITION
[
...
}
resource "aws_iam_role" "ecs_execution_role" {
name = "ecs_task_execution_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"ecs:StartTask",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
EOF
}
我需要什么政策?当前政策有什么问题?
当我将策略中的action属性更改为"Action": "sts:AssumeRole"
时,我在任务日志中收到此错误:
Status reason CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::993934193145:assumed-role/ecs_task_execution_role/0d2f817c-d7b5-4221-afb8-56baaee68b0e is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400, request
答案 0 :(得分:3)
assume_role_policy
仅用于信任关系,即哪个IAM实体可以承担该角色。
要添加到角色的实际权限可以放置在aws_iam_policy中,并使用aws_iam_role_policy_attachment附加到角色。
例如,您的代码可以重构为以下内容:
resource "aws_iam_role" "ecs_execution_role" {
name = "ecs_task_execution_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_policy" "ecs_permissions" {
name = "my_ecs_permissions"
description = "Permissions to enable CT"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ecs:CreateCluster",
"ecs:DeregisterContainerInstance",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:RegisterContainerInstance",
"ecs:StartTelemetrySession",
"ecs:Submit*",
"ecs:StartTask",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "ecs_attachment" {
role = aws_iam_role.ecs_execution_role.name
policy_arn = aws_iam_policy.ecs_permissions.arn
}
答案 1 :(得分:1)
这实际上是包含信任策略和权限的eureka.server.maxThreadsForPeerReplication=0
相反,您应该将所有非信任策略权限移至标准import UIKit
class ViewController: UIViewController {
@IBOutlet weak var imageView: UIImageView!
override func viewDidLoad() {
super.viewDidLoad()
}
@IBAction func renderImage(_ sender: Any) {
imageView.createTransparentImage()
}
}
extension UIImageView {
func createTransparentImage () {
let renderFormat = UIGraphicsImageRendererFormat.default ()
renderFormat.opaque = false
self.isOpaque = false
self.layer.isOpaque = true
self.backgroundColor = UIColor.black
self.layer.backgroundColor = UIColor.black.cgColor
let renderer = UIGraphicsImageRenderer (size: bounds.size, format: renderFormat)
self.image = renderer.image {
(context) in
layer.render (in: context.cgContext)
}
}
}
此hypok_role_policy与标准IAM策略非常相似,但略有不同,并且不能使用aws_iam_policy资源。但是,它可以使用aws_iam_policy_document数据源,有关如何工作的信息,请参见下面的示例。