如何解决由于承担角色,ECS 无法创建服务
我在尝试使用 Cloud Formation 创建 ECS 服务 (Fargate) 时遇到以下错误。
提供的请求无效:CreateService 错误:无法承担角色并验证指定的 targetGroupArn。请验证传递的 ECS 服务角色是否具有适当的权限。 (服务:Ecs,状态码:400,请求 ID:32dc55bc-3b69-46dd-bf95-f3fff77c2508,扩展请求 ID:空)
尝试/相关的事情:
- 更新角色以包括管理员访问权限(仅用于故障排除)。
- 允许多个服务(ecs、elb、ec2、cloudformation)承担角色(最初只是 ecs-tasks)。
- 在 Web 控制台中成功创建 ECS 服务(相同的配置)。 (但 Cloud Formation 不起作用)。
- ECS 角色尚未更新,上次成功创建 ECS 服务是在 2020 年 11 月 21 日(/w Cloud Formation)
以下是上述错误的ECS角色和Cloud Trail事件。有没有人遇到过类似的问题或知道发生了什么?
编辑 1:
包含 ECS 模板,IAM 角色和 ECS 服务属于不同的根堆栈,因此无法使用 DependsOn 属性。我们有 CI/CD 可确保在 ECS 堆栈之前更新 IAM 堆栈。
使用的 ECS 任务角色:
EcsTaskRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AdministratorAccess'
- 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/AmazonSNSFullAccess'
- 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'
- 'arn:aws:iam::aws:policy/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
- 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AWSXrayFullAccess'
- 'arn:aws:iam::aws:policy/AWSBatchFullAccess'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
- ecs.amazonaws.com
- cloudformation.amazonaws.com
- elasticloadbalancing.amazonaws.com
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Outputs:
EcsTaskRoleArn:
Description: EcsTaskRoleArn
Value: !GetAtt EcsTaskRole.Arn
Export:
Name: !Sub "${AWS::StackName}-EcsTaskRoleArn"
来自 Cloud Trail 的事件:(掩盖了一些信息)
{
"eventVersion":"1.08","userIdentity":{
"type":"IAMUser","principalId":"********","arn":"arn:aws:iam::*****:user/****","accountId":"*********","accessKeyId":"********","userName":"********","sessionContext":{
"sessionIssuer":{
},"webIdFederationData":{
},"attributes":{
"mfaAuthenticated":"false","creationDate":"2021-01-01T20:48:02Z"
}
},"invokedBy":"cloudformation.amazonaws.com"
},"eventTime":"2021-01-01T20:48:14Z","eventSource":"ecs.amazonaws.com","eventName":"CreateService","awsRegion":"ap-east-1","sourceIPAddress":"cloudformation.amazonaws.com","userAgent":"cloudformation.amazonaws.com","errorCode":"InvalidParameterException","errorMessage":"Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.","requestParameters":{
"clientToken":"75e4c412-a82c-b01a-1909-cfdbe788f1f1","cluster":"********","desiredCount":1,"enableECSManagedTags":true,"enableExecuteCommand":false,"healthCheckGracePeriodSeconds":300,"launchType":"FARGATE","loadBalancers":[
{
"targetGroupArn":"arn:aws:elasticloadbalancing:ap-east-1:********:listener-rule/app/********/e6a62b4cc4d13aaa/098a6759b6062f3f/f374eba8a4fb66e5","containerName":"********","containerPort":8080
}
],"networkConfiguration":{
"awsvpcConfiguration":{
"assignPublicIp":"ENABLED","securityGroups":[
"sg-025cd908f664b25fe"
],"subnets":[
"subnet-067502309b0359486","subnet-018893d9e397ecac5","subnet-0bfb736aefb90f05a"
]
}
},"propagateTags":"SERVICE","serviceName":"********","taskDeFinition":"arn:aws:ecs:ap-east-1:********:task-deFinition/********"
},"responseElements":null,"requestID":"32dc55bc-3b69-46dd-bf95-f3fff77c2508","eventID":"3f872d94-72a7-4ced-96a6-028a6ceeacba","readOnly":false,"eventType":"AwsApiCall","managementEvent":true,"eventCategory":"Management","recipientAccountId":"904822583864"
}
ECS服务上云模板
MyServiceLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: my-service-log
RetentionInDays: 365
MyServiceTargetGroup:
Type: 'AWS::ElasticLoadBalancingV2::TargetGroup'
Properties:
HealthCheckPath: /my-service/health
HealthCheckIntervalSeconds: 300
HealthCheckTimeoutSeconds: 10
Name: my-service-target-group
targettype: ip
Port: 8080
Protocol: HTTP
VpcId: !Ref VpcId
MyServiceListenerRule:
Type: 'AWS::ElasticLoadBalancingV2::ListenerRule'
Properties:
Actions:
- Type: forward
TargetGroupArn: !Ref MyServiceTargetGroup
Conditions:
- Field: path-pattern
Values:
- /my-service/*
ListenerArn: !Ref AppAlbListenerArn
Priority: 164
MyServicetaskdef:
Type: 'AWS::ECS::TaskDeFinition'
Properties:
ContainerDeFinitions:
- Name: my-service-container
Image: !Join
- ''
- - !Ref 'AWS::AccountId'
- .dkr.ecr.
- !Ref 'AWS::Region'
- .amazonaws.com/
- 'Fn::ImportValue': !Sub '${RepositoryStackName}-MyServiceECR'
- ':'
- !Ref MyServiceVersion
Essential: true
PortMappings:
- ContainerPort: 8080
Protocol: tcp
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref MyServiceLogGroup
awslogs-region: !Ref AWS::Region
awslogs-stream-prefix: my-service
RequiresCompatibilities:
- FARGATE
cpu: 256
Memory: 512
Family: my-service-taskdef
NetworkMode: awsvpc
ExecutionRoleArn:
'Fn::ImportValue': !Sub '${IamStackName}-EcsTaskRoleArn'
TaskRoleArn:
'Fn::ImportValue': !Sub '${IamStackName}-EcsTaskRoleArn'
Volumes: []
MyServiceECS:
Type: 'AWS::ECS::Service'
Properties:
DesiredCount: 1
Cluster: !Ref EcsCluster
TaskDeFinition: !Ref MyServicetaskdef
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- !Ref SecurityGroupecs
subnets:
- !Ref Dmzsubnet1
- !Ref Dmzsubnet2
- !Ref Dmzsubnet3
LoadBalancers:
- ContainerName: my-service-container
ContainerPort: '8080'
TargetGroupArn: !Ref MyServiceListenerRule
EnableECSManagedTags: true
PropagateTags: SERVICE
HealthCheckGracePeriodSeconds: 300
DependsOn:
- MyServiceListenerRule
解决方法
使用 DependsOn 属性指定 AWS::ECS::Service 资源对 AWS::IAM::Policy 的依赖。
,您的模板中有错误。第一个明显的是:
TargetGroupArn: !Ref MyServiceListenerRule
这应该是:
TargetGroupArn: !Ref MyServiceTargetGroup
缺少大量模板(ALB 定义、侦听器),因此无法对其发表评论。
附上
IAM 角色很好,从某种意义上说,它不是问题的根源。但是,在一个角色中为多项服务授予完全权限不是一种好做法。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
