Fargate 服务上的 AWS XRAY

AWS XRAY on Fargate service

我想将 xray 添加到我的 Fargate 服务中。一切正常 (synth/deploy) 但在日志中我看到以下错误:

2022-02-07T13:38:22Z [Error] Sending segment batch failed with: AccessDeniedException: 2022-02-07 14:38:22status code: 403, request id: cdc23f61-5c2e-4ede-8bda-5328e0c8ac8f

我用来部署应用程序的用户拥有 AWSXrayFullAccess 权限。 我必须手动授予任务权限吗?如果有怎么办?

这是应用程序的一个片段:

const cdk = require('@aws-cdk/core');
const ecs = require('@aws-cdk/aws-ecs');
const ecsPatterns = require('@aws-cdk/aws-ecs-patterns');

class API extends cdk.Stack {
  constructor(parent, id, props) {
    super(parent, id, props);

    this.apiXRayTaskDefinition = new ecs.FargateTaskDefinition(this, 'apixRay-definition', {
      cpu: 256,
      memoryLimitMiB: 512,
    });

    this.apiXRayTaskDefinition.addContainer('api', {
        image: ecs.ContainerImage.fromAsset('./api'),
        environment: {
          "QUEUE_URL": props.queue.queueUrl,
          "TABLE": props.table.tableName,
          "AWS_XRAY_DAEMON_ADDRESS": "0.0.0.0:2000"
        },
        logging: ecs.LogDriver.awsLogs({ streamPrefix: 'api' }),
    }).addPortMappings({
      containerPort: 80
    })

    this.apiXRayTaskDefinition.addContainer('xray', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/xray/aws-xray-daemon:latest'),
      logging: ecs.LogDriver.awsLogs({ streamPrefix: 'xray' }),
    }).addPortMappings({
      containerPort: 2000,
      protocol: ecs.Protocol.UDP,
    });

    // API
    this.api = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'api', {
      cluster: props.cluster,
      taskDefinition: this.apiXRayTaskDefinition,
      desiredCount: 2,
      cpu: 256,
      memory: 512,
      createLogs: true
    })

    props.queue.grantSendMessages(this.api.service.taskDefinition.taskRole);
    props.table.grantReadWriteData(this.api.service.taskDefinition.taskRole);

  }
}

The user I'am using to deploy the application has the AWSXrayFullAccess permission.

这无关紧要,任务不会获得部署堆栈的用户的所有权限。

是的,您需要使用

向任务添加所需的权限
this.apiXRayTaskDefinition.taskRole.addManagedPolicy(
    iam.ManagedPolicy.fromAwsManagedPolicyName('AWSXRayDaemonWriteAccess')
);

参考文献:

具有 X-Ray 守护程序所需访问权限的 AWS 托管策略:https://docs.aws.amazon.com/xray/latest/devguide/security_iam_id-based-policy-examples.html#xray-permissions-managedpolicies

导入 AWS-managed 政策:https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.ManagedPolicy.html#static-fromwbrawswbrmanagedwbrpolicywbrnamemanagedpolicyname

访问任务角色:https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ecs.FargateTaskDefinition.html#taskrole-1

添加政策:https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.IRole.html#addwbrmanagedwbrpolicypolicy