mic*_*_65 7 amazon-web-services amazon-iam docker boto3
我试图使用AWS ECS在docker容器内运行boto3 python脚本.我的脚本需要访问SQS(获取和删除消息)和Lambda(搜索和运行的权限).
为了让docker容器在我的本地机器上运行,我能够使用以下docker run命令将我的aws凭据传递到docker容器中.
docker run -v ~/.aws:/root/.aws
最近ECS宣布:
Amazon ECS now supports IAM roles for tasks. When you specify an IAM role for a task, its containers can then use the latest versions of the AWS CLI or SDKs to make API requests to authorized AWS services. Learn More
我将任务IAM角色附加到任务,但在运行任务时,我收到以下错误:
Unable to run task
ECS was unable to assume the role that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.
任何想法,将不胜感激.
lou*_*ola 15
看起来Boto现在支持IAM任务角色,但无论如何,当Boto客户端尝试发出请求时,这将是一个问题,而不是在尝试启动任务时.
此处的问题在错误消息中定义.或者:
1)您的用户没有为任务角色定义的iam:PassRole权限.这可以通过编辑用户的策略来添加,使其具有类似于以下内容的语句:
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<account>:role/<role name>"
}
2)您尝试分配给任务的任务角色没有正确的信任关系.将以下信任策略添加到ECS任务角色,以确保该任务可以承担它.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
| 归档时间: |
|
| 查看次数: |
4687 次 |
| 最近记录: |