使用ecs-cli时出现IAM错误

Question

我正在尝试使用compose文件为ECS创建一个新任务,但即使我的用户具有所需权限,我也会收到AccessDeniedException.

$ ecs-cli compose --project-name test create
WARN[0000] Skipping unsupported YAML option for service...  option name=build service name=builder
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=db
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=dbadmin
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=app
ERRO[0001] Error registering task definition             error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b family=ecscompose-test
ERRO[0001] Create task definition failed                 error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
FATA[0001] AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b 

用户已附加此政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

我也尝试附加AmazonEC2ContainerServiceFullAccess(有ecs:*),但没有用.

Answer 1

发现问题，我使用的用户有一个使用 MFA（多重身份验证）的策略，但 ecs-cli 不支持该策略。