用户:batch.amazonaws.com 无权在资源上执行:sts:AssumeRole

User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource

我一直在尝试创建一些基础设施,其中包括 EC2、ECS、S3 和 Batch(还有一些)等服务。一切似乎都很好,直到它到达构建批处理的步骤。

我正在关注一个中型博客,这是 CF 模板:Github Repo Link

这个 YAML 已经过时了,我在这里和那里做了一些修改,但没有修改角色。

我有超过 3 个 CloudFormation 堆栈卡在回滚状态,因为它无法稳定它从我拥有的 YAML 配置构建的计算环境。我联系了计算环境以查看确切的错误,这就是我得到的:

DELETING - CLIENT_ERROR - User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::402726478692:role/service-role/AWSBatchServiceRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: f9d6c19d-4e77-4814-ac2c-b437e0546977; Proxy: null)

现在,它甚至不会在自动回滚时删除此计算环境。但是,我主要担心的是为什么它无法创建?我已经阅读了有关同一主题的文档和几个问题,但似乎没有任何效果。

这是我的 YAML 配置的摘录。这部分是针对计算环境的:

ComputeEnvironment:
    Type: "AWS::Batch::ComputeEnvironment"
    Properties:
      Type: MANAGED
      ServiceRole: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole"
      ComputeEnvironmentName: !Sub "${Environment}-batch-processing_3"
      ComputeResources:
        MaxvCpus: 1
        SecurityGroupIds:
          - !Ref SecurityGroup
        Type: EC2
        Subnets: !Ref Subnets
        MinvCpus: 1
        InstanceRole: !Ref ECSInstanceProfile
        InstanceTypes:
          - "c6gd.medium"
        Tags: {"Name": !Sub "${Environment} - Batch Instance" }
        DesiredvCpus: 1
      State: ENABLED

  JobQueue:
    DependsOn: ComputeEnvironment
    Type: "AWS::Batch::JobQueue"
    Properties:
      ComputeEnvironmentOrder:
        - Order: 1
          ComputeEnvironment: !Ref ComputeEnvironment
      State: ENABLED
      Priority: 1
      JobQueueName: "HighPriority"

  Job:
    Type: "AWS::Batch::JobDefinition"
    Properties:
      Type: container
      JobDefinitionName: !Sub "${Environment}-batch-s3-processor"
      ContainerProperties:
        Memory: 2048
        Privileged: false
        JobRoleArn: !Ref JobRole
        ReadonlyRootFilesystem: true
        Vcpus: 1
        Image: !Sub "${AWS::AccountId}.dkr.ecr.us-west-2.amazonaws.com/${DockerImage}"
      RetryStrategy:
        Attempts: 1

  JobRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/"
      RoleName: !Sub "${Environment}-BatchJobRole"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Action: 
              - "sts:AssumeRole"
            Effect: "Allow"
            Principal:
              Service: 
                - "ecs-tasks.amazonaws.com"
                - "batch.amazonaws.com"
      Policies:
        -
          PolicyName: !Sub "${Environment}-s3-access"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action: 
                  - "s3:*"
                  - "iam:*"
                  - "batch:*"
                Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"

  ECSInstanceProfile:
    Type: "AWS::IAM::InstanceProfile"
    Properties:
      Path: "/"
      Roles:
        - !Ref ECSRole

  ECSRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/"
      RoleName: !Sub "${Environment}-batch-ecs-role"
      SourceAccount:
        Ref: AWS::AccountId
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          -
            Action: "sts:AssumeRole"
            Effect: "Allow"
            Principal:
              Service: 
                - "ec2.amazonaws.com"
                - "batch.amazonaws.com"
      Policies:
        - PolicyName: !Sub "${Environment}-full-access-for-batch-resource"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action: 
                  - "s3:*"
                  - "iam:*"
                  - "batch:*"
                Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
        - PolicyName: !Sub ${Environment}-ecs-batch-policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              -
                Effect: "Allow"
                Action:
                  - "ecs:CreateCluster"
                  - "ecs:DeregisterContainerInstance"
                  - "ecs:DiscoverPollEndpoint"
                  - "ecs:Poll"
                  - "ecs:RegisterContainerInstance"
                  - "ecs:StartTelemetrySession"
                  - "ecs:StartTask"
                  - "ecs:Submit*"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                  - "logs:DescribeLogStreams"
                  - "logs:CreateLogGroup"
                  - "ecr:BatchCheckLayerAvailability"
                  - "ecr:BatchGetImage"
                  - "ecr:GetDownloadUrlForLayer"
                  - "ecr:GetAuthorizationToken"
                  - "s3:*"
                  - "batch:*"
                Resource: "*"
        - PolicyName: !Sub "${Environment}-ecs-instance-policy"
          PolicyDocument:
            Statement:
              -
                Effect: "Allow"
                Action:
                  - "ecs:DescribeContainerInstances"
                  - "ecs:ListClusters"
                  - "ecs:RegisterTaskDefinition"
                  - "s3:*"
                  - "batch:*"
                Resource: "*"
              -
                Effect: "Allow"
                Action:
                  - "ecs:*"
                  - "s3:*"
                  - "batch:*"
                Resource: "*"

如您所见,我已尝试在这些策略中提供足够多的权限,这已经是一种不好的做法,但我仍然无法将其授予 Assume Role。任何帮助将不胜感激。

编辑:我已经检查过,我可以看到 AWSBatchServiceRole,我已经添加了 AWSBatchServiceRoleAWSBatchFullAccess 权限,在 Trust Relationship 中,我确实有Sts:AssumeRole 在那里。这是来自 Trust Relationship 的 JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "batch.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我的一个朋友想通了并且成功了。这是一个愚蠢的错误。

arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole 更改为 arn:aws:iam::${AWS::AccountId}:role/AWSBatchServiceRole 并且有效。

service-role/ 不是必需的,至少现在不是。