Question

我们的团队有一堆 cron 作业作为 ECS 计划任务运行。最近我添加了一个需要使用 dynamodb 的新作业，所以我在我们的 terraform 文件中添加了权限，但继续获得权限失败：

com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException:
User: arn:aws:sts::87********23:assumed-role/tcoe-tableau/74a408106bf543ee95dbe4841d00b0f7 is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics (Service: AmazonDynamoDBv2;
Status Code: 400; Error Code: AccessDeniedException; Request ID: H52U8GCS1JAB74OJ6VSSEFLCQNVV4KQNSO5AEMVJF66Q9ASUAAJG; Proxy: null)

我的相关地形如下：

首先，这里是ecs集群和任务定义：

resource "aws_ecs_cluster" "ecs-cluster" {
  name = "${var.stack_id}"
  tags {
    StackId = "${var.stack_id}"
  }
  lifecycle {
    ignore_changes = [
      "tags"
    ]
  }
}

resource "aws_ecs_task_definition" "task-definition" {
  family                   = "${var.stack_id}"
  network_mode             = "awsvpc"
  requires_compatibilities = [
    "FARGATE"
  ]
  cpu                      = "${var.cpu}"
  memory                   = "${var.task_memory}"
  task_role_arn            = "${aws_iam_role.task_role.arn}"
  execution_role_arn       = "${aws_iam_role.ecs_task_execution_role.arn}"
  container_definitions    = <<EOF
[
  {
    "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "${var.log_group}",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "${var.stack_id}"
        }
    },
    "ulimits": [
      {
        "name": "nofile",
        "softLimit": 4096,
        "hardLimit": 8192
      }
    ],
    "image": "${var.ecr_account}.dkr.ecr.us-east-1.amazonaws.com/${var.ecr_namespace}/${var.stack_id}:latest",
    "environment": [
      {"name": "ENV", "value": "${var.environment}" }
    ],
    "essential": true,
    "privileged": false,
    "name": "${var.stack_id}",
    "memory": ${var.memory}
  }
]
EOF

  tags {
    StackId = "${var.stack_id}"
  }
}

那么这里是任务定义的任务角色：

resource "aws_iam_role" "task_role" {
  name = "${var.stack_id}"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        ${data.aws_caller_identity.current.account_id == var.dev_account ? "\"AWS\": [\"arn:aws:iam::61********19:role/${var.dev_role_name}\"]," : ""}
        "Service": ["ecs-tasks.amazonaws.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "task_role_profile" {
  name = "${var.stack_id}"
  role = "${aws_iam_role.task_role.name}"
}

最后，我将与 dynamodb 相关的策略添加到任务角色中：

resource "aws_iam_role_policy" "main" {
  name = "${var.stack_id}-extra-policy"
  role = "${aws_iam_role.task_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:Scan",
        "dynamodb:Query",
        "dynamodb:List*",
        "dynamodb:Get*",
        "dynamodb:Describe*",
        "dynamodb:DeleteItem",
        "dynamodb:Put*",
        "dynamodb:UpdateItem",
        "dynamodb:BatchWriteItem"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics",
        "arn:aws:dynamodb:us-east-1:87********23:table/tcoe-candyjar-metrics/index/*"
      ]
    }
  ]
}
EOF
}

我在这里做错了什么还是遗漏了什么？

Answer 1

我认为我的失败是由于使用role.id而不是role.name，我想弄清楚id和name之间的区别，所以我发布了这个问题aws iam role id vs role name in terraform, when to use which?，然后答案/评论指出那是完全一样的，这促使我回去仔细检查我的提交历史和构建历史，我意识到 role.id 不起作用的原因是由于我犯了一些人为错误。我的新代码有效不是因为我使用了 role.name，而是因为我在不知不觉中同时修复了另一个错误。

总而言之，role.id 和 role.name 完全相同。

Terraform 定义的任务角色无法为 ECS 计划任务正常工作

1 个答案: