AWS CredentialProviders 无法在 Fargate 中检索凭证
AWS CredentialProviders fail to retrieve credentials in Fargate
我运行在使用 SecretsManager 的 AWS Fargate 中安装一个 SpringBoot 应用程序。这是我作为凭证提供者提供给 AWS SDK 的内容:
public class ProfiledCredentialsProvider extends AWSCredentialsProviderChain {
public ProfiledCredentialsProvider(@Nullable final String profile) {
super(new DefaultAWSCredentialsProviderChain(), new EC2ContainerCredentialsProviderWrapper(),
new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(),
StringUtils.isBlank(profile) ? new ProfileCredentialsProvider()
: new ProfileCredentialsProvider(profile));
this.setReuseLastProvider(true);
}
}
这让我可以 运行 使用替代 AWS 配置文件在本地使用此应用程序。但是,当我在 Fargate 中 运行 这个应用程序时,我得到以下堆栈跟踪:
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [com.amazonaws.auth.DefaultAWSCredentialsProviderChain@3439f68d: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@1cab0bfb: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@140e5a13: Failed to connect to service endpoint: ], com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@dbd940d: Failed to connect to service endpoint: , EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@71d15f18: profile file cannot be null]
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access0(AmazonHttpClient.java:704) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.doInvoke(AWSSecretsManagerClient.java:2634) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2601) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2590) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.executeGetSecretValue(AWSSecretsManagerClient.java:1213) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.getSecretValue(AWSSecretsManagerClient.java:1184) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
这是我的 task-definition.json:
的摘录
{
"family": "transfer-services-api",
"executionRoleArn": "arn:aws:iam::************:role/ecs-task-execution-role"
"requiresCompatibilities": [
"FARGATE"
]
}
在'trust relationship'中加上这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
和附加策略 AmazonECSTaskExecutionRolePolicy(未设置权限边界)。
任何帮助都会很棒,谢谢。
您需要分配一个任务角色。执行角色使 ECS 能够访问 ECR 和 SecretsManager 等资源,以便执行您的 ECS 任务。任务角色使您的任务代码能够访问其他 AWS 资源。请参阅文档 here。
我运行在使用 SecretsManager 的 AWS Fargate 中安装一个 SpringBoot 应用程序。这是我作为凭证提供者提供给 AWS SDK 的内容:
public class ProfiledCredentialsProvider extends AWSCredentialsProviderChain {
public ProfiledCredentialsProvider(@Nullable final String profile) {
super(new DefaultAWSCredentialsProviderChain(), new EC2ContainerCredentialsProviderWrapper(),
new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(),
StringUtils.isBlank(profile) ? new ProfileCredentialsProvider()
: new ProfileCredentialsProvider(profile));
this.setReuseLastProvider(true);
}
}
这让我可以 运行 使用替代 AWS 配置文件在本地使用此应用程序。但是,当我在 Fargate 中 运行 这个应用程序时,我得到以下堆栈跟踪:
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [com.amazonaws.auth.DefaultAWSCredentialsProviderChain@3439f68d: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@1cab0bfb: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@140e5a13: Failed to connect to service endpoint: ], com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@dbd940d: Failed to connect to service endpoint: , EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@71d15f18: profile file cannot be null]
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access0(AmazonHttpClient.java:704) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.doInvoke(AWSSecretsManagerClient.java:2634) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2601) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2590) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.executeGetSecretValue(AWSSecretsManagerClient.java:1213) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.getSecretValue(AWSSecretsManagerClient.java:1184) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
这是我的 task-definition.json:
{
"family": "transfer-services-api",
"executionRoleArn": "arn:aws:iam::************:role/ecs-task-execution-role"
"requiresCompatibilities": [
"FARGATE"
]
}
在'trust relationship'中加上这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
和附加策略 AmazonECSTaskExecutionRolePolicy(未设置权限边界)。
任何帮助都会很棒,谢谢。
您需要分配一个任务角色。执行角色使 ECS 能够访问 ECR 和 SecretsManager 等资源,以便执行您的 ECS 任务。任务角色使您的任务代码能够访问其他 AWS 资源。请参阅文档 here。