无法担任角色并验证指定的 targetGroupArn

Posted

技术标签:

【中文标题】无法担任角色并验证指定的 targetGroupArn【英文标题】:Unable to assume role and validate the specified targetGroupArn 【发布时间】:2019-11-06 14:10:09 【问题描述】:

我想使用 terraform ecs_service 创建和部署一个集群,但我无法这样做。我的terraform applys 总是在 IAM 角色上失败,我不太清楚。具体来说,错误信息是:

InvalidParametersException:无法承担角色并验证指定的 targetGroupArn。请验证所传递的 ECS 服务角色是否具有适当的权限。

我发现:

    当我在 ecs_service 中指定 iam_role 时,ECS 抱怨我需要使用服务相关角色。 当我在 ecs_service 中评论 iam_role 时,ECS 抱怨代入角色无法验证 targetGroupArn。

我的 terraform 跨越了一堆文件。我把感觉像是相关部分的内容拉到了下面。虽然我已经看到了一些类似的问题,但对我来说,没有一个提供解决上述困境的可行解决方案。

## ALB

resource "aws_alb" "frankly_internal_alb" 
    name = "frankly-internal-alb"
    internal = false
    security_groups = ["$aws_security_group.frankly_internal_alb_sg.id"]
    subnets = ["$aws_subnet.frankly_public_subnet_a.id", "$aws_subnet.frankly_public_subnet_b.id"]


resource "aws_alb_listener" "frankly_alb_listener" 
    load_balancer_arn = "$aws_alb.frankly_internal_alb.arn"

    port = "8080"
    protocol = "HTTP"

    default_action 
        target_group_arn = "$aws_alb_target_group.frankly_internal_target_group.arn"
        type = "forward"
    


## Target Group

resource "aws_alb_target_group" "frankly_internal_target_group" 
    name = "internal-target-group"
    port = 8080
    protocol = "HTTP"
    vpc_id = "$aws_vpc.frankly_vpc.id"

    health_check 
        healthy_threshold = 5
        unhealthy_threshold = 2
        timeout = 5
    


## IAM

resource "aws_iam_role" "frankly_ec2_role" 
  name               = "franklyec2role"
  assume_role_policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": "sts:AssumeRole",
      "Principal": 
        "Service": "ec2.amazonaws.com"
      ,
      "Effect": "Allow",
      "Sid": ""
    
  ]

EOF


resource "aws_iam_role" "frankly_ecs_role" 
  name = "frankly_ecs_role"

  assume_role_policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": "sts:AssumeRole",
      "Principal": 
        "Service": "ecs.amazonaws.com"
      ,
      "Effect": "Allow",
      "Sid": ""
    
  ]

EOF


# aggresively add permissions...
resource "aws_iam_policy" "frankly_ecs_policy" 
  name        = "frankly_ecs_policy"
  description = "A test policy"

  policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": [
        "ec2:*",
        "ecs:*",
        "ecr:*",
        "autoscaling:*",
        "elasticloadbalancing:*",
        "application-autoscaling:*",
        "logs:*",
        "tag:*",
        "resource-groups:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    
  ]

EOF


resource "aws_iam_role_policy_attachment" "frankly_ecs_attach" 
  role       = "$aws_iam_role.frankly_ecs_role.name"
  policy_arn = "$aws_iam_policy.frankly_ecs_policy.arn"


## ECS

resource "aws_ecs_cluster" "frankly_ec2" 
    name = "frankly_ec2_cluster"


resource "aws_ecs_task_definition" "frankly_ecs_task" 
  family                = "service"
  container_definitions = "$file("terraform/task-definitions/search.json")"

  volume 
    name      = "service-storage"

    docker_volume_configuration 
      scope         = "shared"
      autoprovision = true
    
  

  placement_constraints 
    type       = "memberOf"
    expression = "attribute:ecs.availability-zone in [us-east-1]"
  


resource "aws_ecs_service" "frankly_ecs_service" 
  name            = "frankly_ecs_service"
  cluster         = "$aws_ecs_cluster.frankly_ec2.id"
  task_definition = "$aws_ecs_task_definition.frankly_ecs_task.arn"
  desired_count   = 2
  iam_role        = "$aws_iam_role.frankly_ecs_role.arn"
  depends_on      = ["aws_iam_role.frankly_ecs_role", "aws_alb.frankly_internal_alb", "aws_alb_target_group.frankly_internal_target_group"]

  # network_configuration = 
  #   subnets = ["$aws_subnet.frankly_private_subnet_a.id", "$aws_subnet.frankly_private_subnet_b"]
  #   security_groups = ["$aws_security_group.frankly_internal_alb_sg", "$aws_security_group.frankly_service_sg"]
  #   # assign_public_ip = true
  # 

  ordered_placement_strategy 
    type  = "binpack"
    field = "cpu"
  

  load_balancer 
    target_group_arn = "$aws_alb_target_group.frankly_internal_target_group.arn"
    container_name   = "search-svc"
    container_port   = 8080
  

  placement_constraints 
    type       = "memberOf"
    expression = "attribute:ecs.availability-zone in [us-east-1]"

【问题讨论】:

您能否编辑您的问题以显示有关apply 错误的更多上下文?是aws_ecs_service 资源抛出的吗?能否也展示一下 ECS 集群实例的 Terraform 代码? 我遇到了这个精确的问题。运行terraform destroy 然后重新申请不起作用。 【参考方案1】:

我看到了相同的错误消息,但我做错了其他事情:

我已经指定了负载均衡器的 ARN,而没有指定了负载均衡器的 target_group ARN。

【讨论】:

你救了我的命! 你也拯救了我的一天! 但是,在资源“aws_ecs_service”“frankly_ecs_service”中,负载均衡器部分具有正确的目标组 ARN:“$aws_alb_target_group.frankly_internal_target_group.arn” @MiguelConde 是的,我认为这是一个糟糕的错误消息。我当然不会说这是您收到此消息的唯一原因。看来您可能出于其他原因而击中它。 在我的情况下是因为我忘记添加 aws_iam_role_policy_attachment 资源【参考方案2】:

对我来说,问题在于我忘记将正确的策略附加到服务角色。附加此 AWS 托管策略有助于:arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole

【讨论】:

【参考方案3】:

通过销毁我的堆栈并重新部署来解决。

【讨论】:

【参考方案4】:

对我来说,我使用的是上一个命令的输出。但输出为空,因此目标组 arn 在创建服务调用中为空。

【讨论】:

以上是关于无法担任角色并验证指定的 targetGroupArn的主要内容,如果未能解决你的问题,请参考以下文章

AWS Elastic Beanstalk 无法担任角色

AWS GraphQL Appsync - 无法担任角色

在 Laravel 中验证用户角色并保护路由

使用 Spring Cloud AWS 自动配置担任角色

从 Cognito 组担任 IAM 角色

Terraform 无法承担启用 MFA 的角色