无法通过 CloudFormation 创建 ECS 服务
Cannot create ECS Service via CloudFormation
我创建了以下 CloudFormation 模板文件来创建 ECS 集群和 TaskDefinition、Service,但出现错误。
这些设置有什么问题?
- 使用以下模板创建ECS服务时,得到
Please verify that the ECS service role being passed has the proper permissions
- 创建没有 属性
Role: !ImportValue "IAMRoleECSService" 的模板时,不会发生错误,但不会从 CREATE_IN_PROGRESS 完成
ECSApplicationService:
Type: "AWS::ECS::Service"
DependsOn:
- "ECSApplicationCluster"
- "ECSApplicationTaskDefinition"
Properties:
Cluster: !Ref "ECSApplicationCluster"
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 50
DesiredCount: 4
LoadBalancers:
- ContainerName: !Ref "ContainerAppName"
ContainerPort: 80
TargetGroupArn: !ImportValue "ALBTargetGroup"
Role: !ImportValue "IAMRoleECSService"
ServiceName: "ecs-application-service"
TaskDefinition: !Ref "ECSApplicationTaskDefinition"
IAMRoleECSService:
Type: "AWS::IAM::Role"
Properties:
RoleName: "ecs-service"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ecs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "ec2-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:Describe*"
Resource: "*"
- PolicyName: "alb-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
- "elasticloadbalancing:DeregisterTargets"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticloadbalancing:DescribeTargetHealth"
- "elasticloadbalancing:Describe*"
- "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
- "elasticloadbalancing:RegisterTargets"
Resource: "*"
我该怎么办?
更新:
自 2018 年 7 月 19 日起,现在可以使用 CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html.
创建 IAM 服务相关角色
EcsServiceLinkedRole:
Type: "AWS::IAM::ServiceLinkedRole"
Properties:
AWSServiceName: "ecs.amazonaws.com"
Description: "Role to enable Amazon ECS to manage your cluster."
旧答案:
ECS 现在依赖 Service-Linked Roles 而不是普通角色。确保您已使用以下方式为帐户创建它:
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
然后从您的 IAMRoleECSService 中删除 Role 参数,因为它不再需要了。
我创建了以下 CloudFormation 模板文件来创建 ECS 集群和 TaskDefinition、Service,但出现错误。 这些设置有什么问题?
- 使用以下模板创建ECS服务时,得到
Please verify that the ECS service role being passed has the proper permissions - 创建没有 属性
Role: !ImportValue "IAMRoleECSService"的模板时,不会发生错误,但不会从CREATE_IN_PROGRESS 完成
ECSApplicationService:
Type: "AWS::ECS::Service"
DependsOn:
- "ECSApplicationCluster"
- "ECSApplicationTaskDefinition"
Properties:
Cluster: !Ref "ECSApplicationCluster"
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 50
DesiredCount: 4
LoadBalancers:
- ContainerName: !Ref "ContainerAppName"
ContainerPort: 80
TargetGroupArn: !ImportValue "ALBTargetGroup"
Role: !ImportValue "IAMRoleECSService"
ServiceName: "ecs-application-service"
TaskDefinition: !Ref "ECSApplicationTaskDefinition"
IAMRoleECSService:
Type: "AWS::IAM::Role"
Properties:
RoleName: "ecs-service"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ecs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "ec2-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:Describe*"
Resource: "*"
- PolicyName: "alb-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
- "elasticloadbalancing:DeregisterTargets"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticloadbalancing:DescribeTargetHealth"
- "elasticloadbalancing:Describe*"
- "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
- "elasticloadbalancing:RegisterTargets"
Resource: "*"
我该怎么办?
更新: 自 2018 年 7 月 19 日起,现在可以使用 CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html.
创建 IAM 服务相关角色 EcsServiceLinkedRole:
Type: "AWS::IAM::ServiceLinkedRole"
Properties:
AWSServiceName: "ecs.amazonaws.com"
Description: "Role to enable Amazon ECS to manage your cluster."
旧答案: ECS 现在依赖 Service-Linked Roles 而不是普通角色。确保您已使用以下方式为帐户创建它:
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
然后从您的 IAMRoleECSService 中删除 Role 参数,因为它不再需要了。