允许 ECS 任务从 Kinesis 数据流中读取
Posted
技术标签:
【中文标题】允许 ECS 任务从 Kinesis 数据流中读取【英文标题】:Allowing ECS Task to read from Kinesis data stream 【发布时间】:2021-12-17 20:49:53 【问题描述】:我正在通过 ECS 部署应用程序(FARGATE 是容量提供者)。我的应用程序需要访问 Kinesis 流(已经存在并正在运行)。我无法弄清楚我需要提供的确切 IAM 假设政策。我在 Terraform 中有以下配置(删除了标签、日志配置和专有名称)。每次部署任务时,我都会收到任务无法承担角色的错误。
我错过了什么?
resource "aws_ecs_cluster" "cluster"
name = var.cluster_name
resource "aws_ecs_service" "service"
name = var.service_name
cluster = aws_ecs_cluster.cluster.id
task_definition = aws_ecs_task_definition.task.arn
desired_count = var.task_count
launch_type = var.task_launch_type
load_balancer
target_group_arn = var.alb_target
container_name = "container"
container_port = 3000
network_configuration
subnets = [for subnet in var.subnets : "$subnet"]
assign_public_ip = true
security_groups = [var.sg_id]
resource "aws_ecs_task_definition" "task"
family = "task_family"
container_definitions = file( var.container_definitions_json )
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
memory = 1024
cpu = 512
execution_role_arn = "$aws_iam_role.ecsTaskExecutionRole.arn"
task_role_arn = "$aws_iam_role.ecsTaskRole.arn"
resource "aws_iam_role" "ecsTaskRole"
name = "ecsTaskRole"
assume_role_policy = "$data.aws_iam_policy_document.ecsTaskRole.json"
data "aws_caller_identity" "current"
data "aws_partition" "current"
data "aws_region" "current"
data "aws_iam_policy_document" "ecsTaskRole"
statement
effect = "Allow"
actions = ["sts:AssumeRole"]
principals
type = "AWS"
identifiers = [
format("arn:%s:iam::%s:root", data.aws_partition.current.partition, data.aws_caller_identity.current.account_id)
]
resource "aws_iam_role" "ecsTaskExecutionRole"
name = "ecsTaskExecutionRole"
assume_role_policy = "$data.aws_iam_policy_document.assume_role_policy.json"
data "aws_iam_policy_document" "assume_role_policy"
statement
actions = ["sts:AssumeRole"]
principals
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy"
role = "$aws_iam_role.ecsTaskExecutionRole.name"
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
【问题讨论】:
您可以发布替代解决方案,但请不要使用解决方案编辑问题。解决方案在下面的答案空间中 【参考方案1】:两个角色都必须具有允许ecs-tasks.amazonaws.com
的信任策略。
任务角色请参见this document,执行角色请参见this document。
【讨论】:
以上是关于允许 ECS 任务从 Kinesis 数据流中读取的主要内容,如果未能解决你的问题,请参考以下文章