Fargate 中的 Dockerized NodeJS 无法生成有效的 AWS 预签名 URL
Dockerized NodeJS in Fargate can't generate a working AWS pre-signed URL
我有一个 docker 化的 NodeJS 应用程序,我将图像放在 AWS ECR 中。使用 docker-compose 在我的本地环境中 运行 运行良好,我可以生成预签名 PUT URL。预签名 URL 也可以,我可以将对象上传到其中。
我尝试使用 ECS Fargate 运行 相同的 ECR 映像,但是我无法将对象放入生成的预签名 URL。我收到拒绝访问错误。
编辑:
我怀疑问题来自 IAM 角色和权限。我通过 CloudFormation 构建了 ECS Fargate 基础设施,但似乎角色设置正确:
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ContainerName}-ECSTaskExecutionRolePolicy"
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource:
- !Ref DBHostSSMARN
- !Ref DBPortSSMARN
- !Ref DBUsernameSSMARN
- !Ref DBPasswordSSMARN
Effect: Allow
Action:
- "ssm:GetParameters"
- "secretsmanager:GetSecretValue"
- "kms:Decrypt"
- Resource: "*"
Effect: Allow
Action:
- cloudwatch:*
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- Resource:
- !Sub arn:aws:s3:::${VideoRepoName}
- !Sub arn:aws:s3:::${VideoRepoName}/*
Effect: Allow
Action:
- s3:*
我将 S3 权限分配给了错误的角色。我应该向 Task Role, not the Task Execution Role.
授予 S3 权限
我有一个 docker 化的 NodeJS 应用程序,我将图像放在 AWS ECR 中。使用 docker-compose 在我的本地环境中 运行 运行良好,我可以生成预签名 PUT URL。预签名 URL 也可以,我可以将对象上传到其中。 我尝试使用 ECS Fargate 运行 相同的 ECR 映像,但是我无法将对象放入生成的预签名 URL。我收到拒绝访问错误。
编辑: 我怀疑问题来自 IAM 角色和权限。我通过 CloudFormation 构建了 ECS Fargate 基础设施,但似乎角色设置正确:
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ContainerName}-ECSTaskExecutionRolePolicy"
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource:
- !Ref DBHostSSMARN
- !Ref DBPortSSMARN
- !Ref DBUsernameSSMARN
- !Ref DBPasswordSSMARN
Effect: Allow
Action:
- "ssm:GetParameters"
- "secretsmanager:GetSecretValue"
- "kms:Decrypt"
- Resource: "*"
Effect: Allow
Action:
- cloudwatch:*
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- Resource:
- !Sub arn:aws:s3:::${VideoRepoName}
- !Sub arn:aws:s3:::${VideoRepoName}/*
Effect: Allow
Action:
- s3:*
我将 S3 权限分配给了错误的角色。我应该向 Task Role, not the Task Execution Role.
授予 S3 权限