ECS无法承担角色

ECS unable to assume role

我正在从控制台调用提交批处理作业的 lambda。批处理作业失败,表明 ECS 无法承担为执行作业定义而提供的角色。

对于角色,我添加了 lambda 和 ECS 服务。

错误信息:

"ECS was unable to assume the role 'arn:aws:iam::749340585813:role/golfnow-invoke-write-progress' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role."

"TrainingJobRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "RoleName": "golfnow-invoke-write-progress",
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "lambda.amazonaws.com",
              "ecs.amazonaws.com"
            ]
          },
          "Action": [
            "sts:AssumeRole"
          ]
        }
      ]
    },
    "Path": "/"
  }
}

批处理作业:

    "TrainingJob": {
  "Type": "AWS::Batch::JobDefinition",
  "Properties": {
    "Type": "container",
    "JobDefinitionName": {
      "Fn::Sub": "c12e-golfnow-${Environment}-job"
    },
    "ContainerProperties": {
      "Image": {
        "Fn::Join": [
          "",
          [
            "{{ image omitted }}",
            {
              "Ref": "AWS::Region"
            },
            ".amazonaws.com/amazonlinux:latest"
          ]
        ]
      },
      "Vcpus": 2,
      "Memory": 2000,
      "Command": [
        "while", "True", ";", "do", "echo", "'hello';", "done"
      ],
      "JobRoleArn": {
        "Fn::GetAtt": [
          "TrainingJobRole",
          "Arn"
        ]
      }
    },
    "RetryStrategy": {
      "Attempts": 1
    }
  }
},
"JobQueue": {
  "Type": "AWS::Batch::JobQueue",
  "Properties": {
    "Priority": 1,
    "ComputeEnvironmentOrder": [
      {
        "Order": 1,
        "ComputeEnvironment": {
          "Ref": "ComputeEnvironment"
        }
      }
    ]
  }
}

它的调用方式有问题吗?我的用户有管理员权限,所以我认为这不是我的用户权限不足的问题。

您需要向 ECS 添加信任策略才能调用 Batch 服务。

   "Principal": {
      "Service":  [
            "batch.amazonaws.com"
      ]
    },

您必须将委托人 "ecs-tasks.amazonaws.com" 添加到提交 Batch 作业的角色的信任策略中(而不是 "ecs.amazonaws.com")。

修改后的角色:

"TrainingJobRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "golfnow-invoke-write-progress",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com",
                  "ecs-tasks.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    },

对于那些在 Java 中编写 CDK 脚本的人,在定义 TaskDefinition 时,您不必明确提供任何 taskRoleexecutionRole。 CDK将为您创建合适的角色。

我的问题已通过在 CDK 脚本中添加角色名称得到解决。

 const ecsFargateServiceRole = new iam.Role(this, 'execution-role', {
  assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
  roleName: "execution-role"
});
ecsFargateServiceRole.addToPolicy(executionRolePolicy);