gpt4 book ai didi

amazon-web-services - 附加到 EC2 实例的 IAM 策略规则是否与附加到在 EC2 中运行的 ECS 任务的策略规则重叠(&覆盖)?

转载 作者:行者123 更新时间:2023-12-03 07:46:57 31 4
gpt4 key购买 nike

以下是 EC2 实例所承担的角色:

"AScaleLaunchConfig": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties":{
…..
"IamInstanceProfile": { "Ref": "EC2InstProfl” },
…..
}
}


"EC2InstProfl": {
"Type": "AWS::IAM::InstanceProfile",
"Properties":{
"Path": "/",
"Roles": [ { "Ref": "EC2InstRole" } ]
}
}


"EC2InstRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "ec2.amazonaws.com" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"Path": "/",
"ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" ],
}
}

下面是分配给在该 EC2 实例中运行的任务(docker 容器)的 SomeTaskRole:

"EcsTaskDef": {
"Type": "AWS::ECS::TaskDefinition",
"Properties":{
"NetworkMode": "host",
"TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole",
"ContainerDefinitions": [
{
"Name": “someapp",
"Image": “someaccout/someimage:test",

}
]
}
}

其中 SomeTaskRole 是:

{
"Version": "2012-10-17",
"Statement": [
{
"Description": “Allow access to all EC2/ELB/cloudformation/s3 and aim passrole",
…..
"Resource": "*"
},
{
"Description": “Assume iam User role“,
…..
"Effect": "Allow"
},
{
"Description": “Assume xyz role across all accouts“,
…..
"Effect": "Allow"
},
{
"Description": “Allow * access to all resource across n regions",
….
},
{
"Description": “Deny delete permission on network related resources like Subnets/Route/VPC/VPN/IGW etc…*,
….
},
{
"Description": “There are many such rules",
….
}

]
}

如果将 EC2InstRole 分配给 EC2 实例,则 Cloudformation 堆栈将成功启动。

如果将 SomeTaskRole 分配给 EcsTaskDef 并且 EC2InstRole 分配给 EC2 实例,则 Cloudformation 堆栈启动将进行挂起几个小时并出错。尚未找到确切的错误。如果我删除 "TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole" 则 CloudFormation 堆栈会成功启动。


1)

AWS IAM 服务是否允许两者?

将角色分配给 ECS 任务

将角色分配给 EC2 实例?

2)

如果是,EC2 角色中给出的规则是否与 ECS 任务角色中给出的规则重叠(并覆盖)?

最佳答案

ECS 任务仅获取分配给该任务的角色/权限。它没有从主机获得任何权限。

当您看到 CloudFormation 像这样“挂起”时,可能是因为任务从未达到稳定状态。排除故障的最简单方法是查看 ECS 中失败的任务。为此,请打开 ECS 集群,选择任务选项卡并显示已停止的任务。打开其中一个,查看底部折叠的信息。那里通常有一些非常有用的信息。

关于amazon-web-services - 附加到 EC2 实例的 IAM 策略规则是否与附加到在 EC2 中运行的 ECS 任务的策略规则重叠(&覆盖)?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60102943/

31 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com