Apache Airflow 版本:2.1.2
环境:
发生了什么:
我已经从 2.0.1 更新到 2.1.2,从 s3 获取日志突然失败:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::111111111:assumed-role/airflow-ecs-task-role/cfdjkal342nk432hvbkjl34 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111:role/airflow-ecs-task-role
我想知道为什么ecs任务本身不能承担自己的角色?这不是它的基本意思吗?
你期望发生的事情:
像以前一样从远程 s3 获取日志。
我们需要知道的任何其他信息: 所有 Fargate 任务(网络服务器、调度程序、工作线程)都获得以下环境变量。我已按照 this 方法生成连接 URI。
- Name: AIRFLOW_CONN_LOGS_S3
Value: !Sub 's3://s3?aws_account_id=111111111&role_arn=arn%3Aaws%3Aiam%3A%3A919107267526%3Arole%2Fairflow-ecs-task-role'
- Name: AIRFLOW__LOGGING__REMOTE_LOGGING
Value: 'true'
- Name: AIRFLOW__LOGGING__REMOTE_BASE_LOG_FOLDER
Value: !Sub "s3://logs-bucket/"
- Name: AIRFLOW__LOGGING__REMOTE_LOG_CONN_ID
Value: logs_s3
- Name: AIRFLOW__LOGGING__ENCRYPT_S3_LOGS
Value: 'false'
这个问题多久发生一次?一次?每次等等?
要包含任何相关日志吗?将它们放在细节标签旁边:
*** Failed to verify remote log exists s3://bucket/dag/dag/2021-07-23T11:37:30.860418+00:00/1.log.
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::111111111:assumed-role/airflow-ecs-task-role/cfdjkal342nk432hvbkjl34 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111:role/airflow-ecs-task-role
*** Falling back to local log
*** Log file does not exist:
我确实将以下内容附加到了气流 ecs-task-role:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
如果我添加它,它会起作用:
Principal:
Service: ecs-tasks.amazonaws.com
AWS: arn:aws:sts:::assumed-role/airflow-ecs-task-role/TASK_ID
有人可以帮助解释为什么会这样吗? docs 声明我不能通配符,但我事先不知道任务 ID。