允许 ECS 任务从 Kinesis 数据流中读取

Posted

技术标签:

【中文标题】允许 ECS 任务从 Kinesis 数据流中读取【英文标题】:Allowing ECS Task to read from Kinesis data stream 【发布时间】:2021-12-17 20:49:53 【问题描述】:

我正在通过 ECS 部署应用程序(FARGATE 是容量提供者)。我的应用程序需要访问 Kinesis 流(已经存在并正在运行)。我无法弄清楚我需要提供的确切 IAM 假设政策。我在 Terraform 中有以下配置(删除了标签、日志配置和专有名称)。每次部署任务时,我都会收到任务无法承担角色的错误。

我错过了什么?

resource "aws_ecs_cluster" "cluster" 
  name = var.cluster_name

resource "aws_ecs_service" "service" 
  name            = var.service_name
  cluster         = aws_ecs_cluster.cluster.id
  task_definition = aws_ecs_task_definition.task.arn
  desired_count   = var.task_count
  launch_type     = var.task_launch_type

  load_balancer 
    target_group_arn = var.alb_target
    container_name   = "container"
    container_port   = 3000
  

  network_configuration 
    subnets          = [for subnet in var.subnets : "$subnet"]
    assign_public_ip = true
    security_groups  = [var.sg_id]
  

resource "aws_ecs_task_definition" "task" 
  family = "task_family"

  container_definitions = file( var.container_definitions_json )

  requires_compatibilities    = ["FARGATE"]
  network_mode                = "awsvpc"
  memory                      = 1024
  cpu                         = 512

  execution_role_arn          = "$aws_iam_role.ecsTaskExecutionRole.arn"

  task_role_arn               = "$aws_iam_role.ecsTaskRole.arn"


resource "aws_iam_role" "ecsTaskRole" 
  name = "ecsTaskRole"
  assume_role_policy = "$data.aws_iam_policy_document.ecsTaskRole.json"
  


data "aws_caller_identity" "current" 

data "aws_partition" "current" 

data "aws_region" "current" 

data "aws_iam_policy_document" "ecsTaskRole" 
  statement 
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals 
      type = "AWS"
      identifiers = [
        format("arn:%s:iam::%s:root", data.aws_partition.current.partition, data.aws_caller_identity.current.account_id)
      ]
    
  

resource "aws_iam_role" "ecsTaskExecutionRole" 
  name               = "ecsTaskExecutionRole"
  assume_role_policy = "$data.aws_iam_policy_document.assume_role_policy.json"


data "aws_iam_policy_document" "assume_role_policy" 
  statement 
    actions = ["sts:AssumeRole"]

    principals 
      type        = "Service"
      identifiers = ["ecs-tasks.amazonaws.com"]
    
  


resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy" 
  role       = "$aws_iam_role.ecsTaskExecutionRole.name"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

【问题讨论】:

您可以发布替代解决方案,但请不要使用解决方案编辑问题。解决方案在下面的答案空间中 【参考方案1】:

两个角色都必须具有允许ecs-tasks.amazonaws.com 的信任策略。

任务角色请参见this document,执行角色请参见this document。

【讨论】:

以上是关于允许 ECS 任务从 Kinesis 数据流中读取的主要内容,如果未能解决你的问题,请参考以下文章

如何允许ECS任务访问RDS

使用多个分片重新读取的 AWS Kinesis 数据顺序

将数据从 MySQL 二进制日志流式传输到 Kinesis

自动扩展 ECS 集群到/从零个实例

如何从 ECS 容器中获取任务 ID?

读取 Amazon Kinesis Firehose 流写入 s3 的数据