amazon-web-services - 使用 ecs-cli 时出现 IAM 错误

Question

我正在尝试使用撰写文件为 ECS 创建一个新任务，但即使我的用户具有所需的权限，我也会收到 AccessDeniedException。

$ ecs-cli compose --project-name test create
WARN[0000] Skipping unsupported YAML option for service...  option name=build service name=builder
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=db
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=dbadmin
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=app
ERRO[0001] Error registering task definition             error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b family=ecscompose-test
ERRO[0001] Create task definition failed                 error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
FATA[0001] AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b 

用户附加了此策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

我也尝试附加 AmazonEC2ContainerServiceFullAccess (有 ecs:*)，但没有用。

Answer 1

发现问题，我使用的用户有使用 MFA(多因素身份验证)的策略，但 ecs-cli 不支持该策略。