使用 ecs-cli 时出现 IAM 错误
IAM Error while using ecs-cli
我正在尝试使用撰写文件为 ECS 创建新任务,但即使我的用户具有所需的权限,我也会收到 AccessDeniedException。
$ ecs-cli compose --project-name test create
WARN[0000] Skipping unsupported YAML option for service... option name=build service name=builder
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=db
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=dbadmin
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=app
ERRO[0001] Error registering task definition error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b family=ecscompose-test
ERRO[0001] Create task definition failed error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
FATA[0001] AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
用户附加了此策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition"
],
"Resource": [
"*"
]
}
]
}
我也尝试附加 AmazonEC2ContainerServiceFullAccess(有 ecs:*),但没有成功。
我相信这篇文章对为什么会发生上述错误有一些答案,但我认为不是修复方法。
Trouble deploying docker on AWS with ecs-cli
"From what I understand, ecs-cli has a very limited support of the complete Docker Compose file syntax"
每位用户 Dolan Antenucci
注意警告
"WARN[0000] Skipping unsupported YAML option for service..."
ECS 不支持大量的撰写设置。但是,它应该只打印警告并忽略它们,这会产生意想不到的结果,但不应引发权限问题。
当您看到 "user_arn not authorized to perform service:action on service_resource" 形式的 400 个 AccessDeniedExceptions 时,这绝对是 IAM 问题。但是,您列出的 IAM 政策看起来是正确的。我的想法是您以某种方式没有使用正确的用户凭据,或者 IAM 策略未正确应用于用户。
发现问题,我使用的用户有使用 MFA(多因素身份验证)的策略,ecs-cli 不支持该策略。
我正在尝试使用撰写文件为 ECS 创建新任务,但即使我的用户具有所需的权限,我也会收到 AccessDeniedException。
$ ecs-cli compose --project-name test create
WARN[0000] Skipping unsupported YAML option for service... option name=build service name=builder
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=db
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=dbadmin
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=app
ERRO[0001] Error registering task definition error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b family=ecscompose-test
ERRO[0001] Create task definition failed error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
FATA[0001] AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
用户附加了此策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition"
],
"Resource": [
"*"
]
}
]
}
我也尝试附加 AmazonEC2ContainerServiceFullAccess(有 ecs:*),但没有成功。
我相信这篇文章对为什么会发生上述错误有一些答案,但我认为不是修复方法。
Trouble deploying docker on AWS with ecs-cli
"From what I understand, ecs-cli has a very limited support of the complete Docker Compose file syntax"
每位用户 Dolan Antenucci
注意警告 "WARN[0000] Skipping unsupported YAML option for service..."
ECS 不支持大量的撰写设置。但是,它应该只打印警告并忽略它们,这会产生意想不到的结果,但不应引发权限问题。
当您看到 "user_arn not authorized to perform service:action on service_resource" 形式的 400 个 AccessDeniedExceptions 时,这绝对是 IAM 问题。但是,您列出的 IAM 政策看起来是正确的。我的想法是您以某种方式没有使用正确的用户凭据,或者 IAM 策略未正确应用于用户。
发现问题,我使用的用户有使用 MFA(多因素身份验证)的策略,ecs-cli 不支持该策略。