Yu *_*hen 11 amazon-web-services amazon-ecs aws-lambda terraform
长话短说,我不想将任务的 ECS 任务定义修订号硬编码到我的 lambda 源代码中。每次我有更新的任务定义时,基本上都在费力地更新我的源代码。在ECS 的 boto3 文档中run_task(),它明确指出
taskDefinition (string) -- [必需]
要运行的任务定义的系列和修订 (family:revision ) 或完整 ARN。如果未指定修订版,则使用最新的 ACTIVE 修订版。
但是,我发现如果我taskDefinition在client.run_task()没有特定修订号的情况下定义参数,则会出现权限错误:
调用 RunTask 操作时发生错误 (AccessDeniedException):用户:arn:aws:sts::MY_ACCOUNT_ID:assumed-role/my-lambda-role/trigger-ecs-task is notauthorized to perform: ecs:RunTask on resource: arn:aws:ecs:MY_REGION:MY_ACCOUNT_ID:task-definition/an-important-task
如果我将定义切换为an-important-task:LATESTor an-important-task:*,则会出现另一个错误:
...无权执行:ecs:RunTask on resource: *
这很奇怪,因为它看起来与文档说明的相反 - 当我包含一个修订号时,比如an-important-task:5,lambda 会完美地触发。在我的 lambda 函数中,我只是调用了我的 ECS 任务:
def lambda_handler(event, context):
client = boto3.client('ecs')
print("Running task.")
response = client.run_task(
cluster='my-cluster',
launchType='FARGATE',
taskDefinition='an-important-task', # <-- notice no revision number
count=1,
platformVersion='LATEST',
networkConfiguration={
'awsvpcConfiguration': {
'subnets': [
'subnet-1',
'subnet-2'
],
'assignPublicIp': 'DISABLED'
}
})
print("Finished invoking task.")
在我的 Terraform 定义中,我已将必要的策略附加到我的角色中:
resource "aws_lambda_function" "trigger-ecs-task" {
function_name = "trigger-ecs-task"
handler = "my-lambda-function.lambda_handler"
role = "${aws_iam_role.lambda.arn}"
runtime = "python3.6"
# other stuff related to how I store my source code for the lambda
}
我的角色定义,并附加了运行 ECS 任务的权限:
resource "aws_iam_role" "lambda" {
name = "my-lambda-ecs-role"
assume_role_policy = "${data.aws_iam_policy_document.lambda-assume-role.json}"
}
data "aws_iam_policy_document" "lambda-assume-role" {
statement {
actions = [
"sts:AssumeRole"]
principals {
type = "Service"
identifiers = [
"lambda.amazonaws.com"]
}
}
}
resource "aws_iam_policy" "run-ecs-policy" {
name = "run-ecs-task-policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecs:RunTask",
"Resource": "arn:aws:ecs:MY_REGION:MY_ACCOUNT_ID:task-definition/an-important-task:*"
},
{
"Sid": "Stmt1512361993201",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::************:role/${data.aws_iam_role.ecs-task-execution-role.name}"
]
}
]
}
EOF
}
我附上以下政策:
resource "aws_iam_role_policy_attachment" "service-role-attach" {
role = "${aws_iam_role.lambda.name}"
policy_arn = "${aws_iam_policy.run-ecs-policy.arn}"
}
如果我未指定特定修订,为什么 AWS 拒绝运行我的任务?在我的政策定义中,我明确允许对runTask资源的所有修订:
arn:aws:ecs:MY_REGION:MY_ACCOUNT_ID:task-definition/an-important-task:*
我能够复制您的行为并通过Resource在 IAM 政策中遵循以下步骤解决了问题。
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecs:RunTask",
"Resource": "arn:aws:ecs:MY_REGION:MY_ACCOUNT_ID:task-definition/an-important-task"
}
如果您打算提供修订,那么资源应该包含:*在其中,或者它必须与taskDefinition.
让我知道你最后的进展如何!!!
| 归档时间: |
|
| 查看次数: |
5633 次 |
| 最近记录: |