我们的团队有一堆 cron 作业作为 ECS 计划任务运行。最近我添加了一个需要使用 dynamodb 的新作业,所以我在我们的 terraform 文件中添加了权限,但继续获得权限失败:
com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException:
User: arn:aws:sts::87********23:assumed-role/tcoe-tableau/74a408106bf543ee95dbe4841d00b0f7 is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics (Service: AmazonDynamoDBv2;
Status Code: 400; Error Code: AccessDeniedException; Request ID: H52U8GCS1JAB74OJ6VSSEFLCQNVV4KQNSO5AEMVJF66Q9ASUAAJG; Proxy: null)
我的相关地形如下:
首先,这里是ecs集群和任务定义:
resource "aws_ecs_cluster" "ecs-cluster" {
name = "${var.stack_id}"
tags {
StackId = "${var.stack_id}"
}
lifecycle {
ignore_changes = [
"tags"
]
}
}
resource "aws_ecs_task_definition" "task-definition" {
family = "${var.stack_id}"
network_mode = "awsvpc"
requires_compatibilities = [
"FARGATE"
]
cpu = "${var.cpu}"
memory = "${var.task_memory}"
task_role_arn = "${aws_iam_role.task_role.arn}"
execution_role_arn = "${aws_iam_role.ecs_task_execution_role.arn}"
container_definitions = <<EOF
[
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "${var.log_group}",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "${var.stack_id}"
}
},
"ulimits": [
{
"name": "nofile",
"softLimit": 4096,
"hardLimit": 8192
}
],
"image": "${var.ecr_account}.dkr.ecr.us-east-1.amazonaws.com/${var.ecr_namespace}/${var.stack_id}:latest",
"environment": [
{"name": "ENV", "value": "${var.environment}" }
],
"essential": true,
"privileged": false,
"name": "${var.stack_id}",
"memory": ${var.memory}
}
]
EOF
tags {
StackId = "${var.stack_id}"
}
}
那么这里是任务定义的任务角色:
resource "aws_iam_role" "task_role" {
name = "${var.stack_id}"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
${data.aws_caller_identity.current.account_id == var.dev_account ? "\"AWS\": [\"arn:aws:iam::61********19:role/${var.dev_role_name}\"]," : ""}
"Service": ["ecs-tasks.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_instance_profile" "task_role_profile" {
name = "${var.stack_id}"
role = "${aws_iam_role.task_role.name}"
}
最后,我将与 dynamodb 相关的策略添加到任务角色中:
resource "aws_iam_role_policy" "main" {
name = "${var.stack_id}-extra-policy"
role = "${aws_iam_role.task_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:List*",
"dynamodb:Get*",
"dynamodb:Describe*",
"dynamodb:DeleteItem",
"dynamodb:Put*",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics",
"arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics/index/*"
]
}
]
}
EOF
}
我在这里做错了什么还是遗漏了什么?
答案 0 :(得分:0)
我认为我的失败是由于使用role.id而不是role.name,我想弄清楚id和name之间的区别,所以我发布了这个问题aws iam role id vs role name in terraform, when to use which?,然后答案/评论指出那是完全一样的,这促使我回去仔细检查我的提交历史和构建历史,我意识到 role.id 不起作用的原因是由于我犯了一些人为错误。我的新代码有效不是因为我使用了 role.name,而是因为我在不知不觉中同时修复了另一个错误。
总而言之,role.id 和 role.name 完全相同。