用户:batch.amazonaws.com 无权在资源上执行:sts:AssumeRole
User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource
我一直在尝试创建一些基础设施,其中包括 EC2、ECS、S3 和 Batch(还有一些)等服务。一切似乎都很好,直到它到达构建批处理的步骤。
我正在关注一个中型博客,这是 CF 模板:Github Repo Link
这个 YAML 已经过时了,我在这里和那里做了一些修改,但没有修改角色。
我有超过 3 个 CloudFormation 堆栈卡在回滚状态,因为它无法稳定它从我拥有的 YAML 配置构建的计算环境。我联系了计算环境以查看确切的错误,这就是我得到的:
DELETING - CLIENT_ERROR - User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::402726478692:role/service-role/AWSBatchServiceRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: f9d6c19d-4e77-4814-ac2c-b437e0546977; Proxy: null)
现在,它甚至不会在自动回滚时删除此计算环境。但是,我主要担心的是为什么它无法创建?我已经阅读了有关同一主题的文档和几个问题,但似乎没有任何效果。
这是我的 YAML 配置的摘录。这部分是针对计算环境的:
ComputeEnvironment:
Type: "AWS::Batch::ComputeEnvironment"
Properties:
Type: MANAGED
ServiceRole: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole"
ComputeEnvironmentName: !Sub "${Environment}-batch-processing_3"
ComputeResources:
MaxvCpus: 1
SecurityGroupIds:
- !Ref SecurityGroup
Type: EC2
Subnets: !Ref Subnets
MinvCpus: 1
InstanceRole: !Ref ECSInstanceProfile
InstanceTypes:
- "c6gd.medium"
Tags: {"Name": !Sub "${Environment} - Batch Instance" }
DesiredvCpus: 1
State: ENABLED
JobQueue:
DependsOn: ComputeEnvironment
Type: "AWS::Batch::JobQueue"
Properties:
ComputeEnvironmentOrder:
- Order: 1
ComputeEnvironment: !Ref ComputeEnvironment
State: ENABLED
Priority: 1
JobQueueName: "HighPriority"
Job:
Type: "AWS::Batch::JobDefinition"
Properties:
Type: container
JobDefinitionName: !Sub "${Environment}-batch-s3-processor"
ContainerProperties:
Memory: 2048
Privileged: false
JobRoleArn: !Ref JobRole
ReadonlyRootFilesystem: true
Vcpus: 1
Image: !Sub "${AWS::AccountId}.dkr.ecr.us-west-2.amazonaws.com/${DockerImage}"
RetryStrategy:
Attempts: 1
JobRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: !Sub "${Environment}-BatchJobRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ecs-tasks.amazonaws.com"
- "batch.amazonaws.com"
Policies:
-
PolicyName: !Sub "${Environment}-s3-access"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "s3:*"
- "iam:*"
- "batch:*"
Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
ECSInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
- !Ref ECSRole
ECSRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: !Sub "${Environment}-batch-ecs-role"
SourceAccount:
Ref: AWS::AccountId
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Action: "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "batch.amazonaws.com"
Policies:
- PolicyName: !Sub "${Environment}-full-access-for-batch-resource"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "s3:*"
- "iam:*"
- "batch:*"
Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
- PolicyName: !Sub ${Environment}-ecs-batch-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "ecs:CreateCluster"
- "ecs:DeregisterContainerInstance"
- "ecs:DiscoverPollEndpoint"
- "ecs:Poll"
- "ecs:RegisterContainerInstance"
- "ecs:StartTelemetrySession"
- "ecs:StartTask"
- "ecs:Submit*"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogStreams"
- "logs:CreateLogGroup"
- "ecr:BatchCheckLayerAvailability"
- "ecr:BatchGetImage"
- "ecr:GetDownloadUrlForLayer"
- "ecr:GetAuthorizationToken"
- "s3:*"
- "batch:*"
Resource: "*"
- PolicyName: !Sub "${Environment}-ecs-instance-policy"
PolicyDocument:
Statement:
-
Effect: "Allow"
Action:
- "ecs:DescribeContainerInstances"
- "ecs:ListClusters"
- "ecs:RegisterTaskDefinition"
- "s3:*"
- "batch:*"
Resource: "*"
-
Effect: "Allow"
Action:
- "ecs:*"
- "s3:*"
- "batch:*"
Resource: "*"
如您所见,我已尝试在这些策略中提供足够多的权限,这已经是一种不好的做法,但我仍然无法将其授予 Assume Role。任何帮助将不胜感激。
编辑:我已经检查过,我可以看到 AWSBatchServiceRole
,我已经添加了 AWSBatchServiceRole
和 AWSBatchFullAccess
权限,在 Trust Relationship
中,我确实有Sts:AssumeRole
在那里。这是来自 Trust Relationship
的 JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "batch.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我的一个朋友想通了并且成功了。这是一个愚蠢的错误。
将 arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole
更改为 arn:aws:iam::${AWS::AccountId}:role/AWSBatchServiceRole
并且有效。
service-role/
不是必需的,至少现在不是。
我一直在尝试创建一些基础设施,其中包括 EC2、ECS、S3 和 Batch(还有一些)等服务。一切似乎都很好,直到它到达构建批处理的步骤。
我正在关注一个中型博客,这是 CF 模板:Github Repo Link
这个 YAML 已经过时了,我在这里和那里做了一些修改,但没有修改角色。
我有超过 3 个 CloudFormation 堆栈卡在回滚状态,因为它无法稳定它从我拥有的 YAML 配置构建的计算环境。我联系了计算环境以查看确切的错误,这就是我得到的:
DELETING - CLIENT_ERROR - User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::402726478692:role/service-role/AWSBatchServiceRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: f9d6c19d-4e77-4814-ac2c-b437e0546977; Proxy: null)
现在,它甚至不会在自动回滚时删除此计算环境。但是,我主要担心的是为什么它无法创建?我已经阅读了有关同一主题的文档和几个问题,但似乎没有任何效果。
这是我的 YAML 配置的摘录。这部分是针对计算环境的:
ComputeEnvironment:
Type: "AWS::Batch::ComputeEnvironment"
Properties:
Type: MANAGED
ServiceRole: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole"
ComputeEnvironmentName: !Sub "${Environment}-batch-processing_3"
ComputeResources:
MaxvCpus: 1
SecurityGroupIds:
- !Ref SecurityGroup
Type: EC2
Subnets: !Ref Subnets
MinvCpus: 1
InstanceRole: !Ref ECSInstanceProfile
InstanceTypes:
- "c6gd.medium"
Tags: {"Name": !Sub "${Environment} - Batch Instance" }
DesiredvCpus: 1
State: ENABLED
JobQueue:
DependsOn: ComputeEnvironment
Type: "AWS::Batch::JobQueue"
Properties:
ComputeEnvironmentOrder:
- Order: 1
ComputeEnvironment: !Ref ComputeEnvironment
State: ENABLED
Priority: 1
JobQueueName: "HighPriority"
Job:
Type: "AWS::Batch::JobDefinition"
Properties:
Type: container
JobDefinitionName: !Sub "${Environment}-batch-s3-processor"
ContainerProperties:
Memory: 2048
Privileged: false
JobRoleArn: !Ref JobRole
ReadonlyRootFilesystem: true
Vcpus: 1
Image: !Sub "${AWS::AccountId}.dkr.ecr.us-west-2.amazonaws.com/${DockerImage}"
RetryStrategy:
Attempts: 1
JobRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: !Sub "${Environment}-BatchJobRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ecs-tasks.amazonaws.com"
- "batch.amazonaws.com"
Policies:
-
PolicyName: !Sub "${Environment}-s3-access"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "s3:*"
- "iam:*"
- "batch:*"
Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
ECSInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
- !Ref ECSRole
ECSRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: !Sub "${Environment}-batch-ecs-role"
SourceAccount:
Ref: AWS::AccountId
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Action: "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "batch.amazonaws.com"
Policies:
- PolicyName: !Sub "${Environment}-full-access-for-batch-resource"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "s3:*"
- "iam:*"
- "batch:*"
Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
- PolicyName: !Sub ${Environment}-ecs-batch-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "ecs:CreateCluster"
- "ecs:DeregisterContainerInstance"
- "ecs:DiscoverPollEndpoint"
- "ecs:Poll"
- "ecs:RegisterContainerInstance"
- "ecs:StartTelemetrySession"
- "ecs:StartTask"
- "ecs:Submit*"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogStreams"
- "logs:CreateLogGroup"
- "ecr:BatchCheckLayerAvailability"
- "ecr:BatchGetImage"
- "ecr:GetDownloadUrlForLayer"
- "ecr:GetAuthorizationToken"
- "s3:*"
- "batch:*"
Resource: "*"
- PolicyName: !Sub "${Environment}-ecs-instance-policy"
PolicyDocument:
Statement:
-
Effect: "Allow"
Action:
- "ecs:DescribeContainerInstances"
- "ecs:ListClusters"
- "ecs:RegisterTaskDefinition"
- "s3:*"
- "batch:*"
Resource: "*"
-
Effect: "Allow"
Action:
- "ecs:*"
- "s3:*"
- "batch:*"
Resource: "*"
如您所见,我已尝试在这些策略中提供足够多的权限,这已经是一种不好的做法,但我仍然无法将其授予 Assume Role。任何帮助将不胜感激。
编辑:我已经检查过,我可以看到 AWSBatchServiceRole
,我已经添加了 AWSBatchServiceRole
和 AWSBatchFullAccess
权限,在 Trust Relationship
中,我确实有Sts:AssumeRole
在那里。这是来自 Trust Relationship
的 JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "batch.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我的一个朋友想通了并且成功了。这是一个愚蠢的错误。
将 arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole
更改为 arn:aws:iam::${AWS::AccountId}:role/AWSBatchServiceRole
并且有效。
service-role/
不是必需的,至少现在不是。