step函数无法在fargate集群上触发ECS任务,权限问题

Step function unable to trigger ECS task on fargate cluster, permission issue

我正在我的 ECS Fargate 集群上创建并运行执行任务。

任务定义(带角色)和 Fargate 集群已创建。

当我在步骤函数中使用 运行 任务步骤时,出现以下错误,

{
  "Error": "ECS.AccessDeniedException",
  "Cause": "User: arn:aws:sts::xxxxxxxxxx:assumed-role/StepFunctions-my-state-machine-role-xxxxxxxxxx/xxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxx:role/my-app-dev-exec because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx; Proxy: null)"
}

附加到步骤函数的角色具有以下策略(根据 AWS https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html 提供的文档)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:RunTask"
            ],
            "Resource": [
                "arn:aws:ecs:eu-west-1:xxxxxxxxxx:task-definition/*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:StopTask",
                "ecs:DescribeTasks"
            ],
            "Resource": [
                "arn:aws:ecs:eu-west-1:xxxxxxxxxx:task/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:PutTargets",
                "events:PutRule",
                "events:DescribeRule"
            ],
            "Resource": [
                "arn:aws:events:eu-west-1:xxxxxxxxxx:rule/StepFunctionsGetEventsForECSTaskRule"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "states:DescribeStateMachine",
                "states:StartExecution",
                "states:ListExecutions",
                "states:UpdateStateMachine"
            ],
            "Resource": [
                "arn:aws:states:eu-west-1:xxxxxxxxxx:stateMachine:my-state-machine"
            ]
        }
    ]
}

与以下受信任的实体

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "states.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

有人可以帮助我解决上述权限问题需要授予什么额外权限吗?从错误中,我无法弄清楚需要什么额外的权限。

如果我将 AmazonECS_FullAccess(aws 管理的)策略附加到角色,工作将完美运行。

因为您的任务将使用 IAM 角色,所以您需要指定额外的权限 'PassRole'。

最佳做法是限制可以传递哪些角色。所以建议加个条件限制,只允许给ECS任务传递角色。

尝试将此声明添加到您的政策中:

  {
        "Action": "iam:PassRole",
        "Effect": "Allow",
        "Resource": [
            "*"
        ],
        "Condition": {
            "StringLike": {
                "iam:PassedToService": "ecs-tasks.amazonaws.com"
            }
        }
    }