amazon-web-services - ECS Fargate 服务 - 谁需要访问 KMS 以获取 Secrets?
问题描述
我正在尝试设置将使用 MySQL 和 Webserver 运行单个任务的 ECS 服务。我想将一些运行时参数作为环境变量从SSM Parameter Store
. 其中一些将是纯文本,但有些将使用KMS
. 所以假设我有以下任务定义:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/wordpress-test",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"memoryReservation": 512,
"name": "wordpress"
},
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/wordpress-test",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
},
"secrets": [
{
"valueFrom": "arn:aws:ssm:eu-central-1:657433956652:parameter/project/dev/db.connection.default.password",
"name": "MYSQL_ROOT_PASSWORD"
}
],
"memoryReservation": 512,
"name": "mysql"
}
],
"placementConstraints": [],
"memory": "1024",
"taskRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
"compatibilities": [
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:eu-central-1:657433956652:task-definition/wordpress-test:1",
"family": "wordpress-test",
"networkMode": "awsvpc",
"cpu": "512",
}
问题是:哪个角色应该获得对SSM Parameter Store
用于加密SecureString
s 参数的读取和密钥的访问权限?实际动态创建服务的应该是 Service、Cluster 还是 Pipeline?
解决方案
您ecsTaskExecutionRole
应该有权访问 SSM 参数。
创建内联策略并将该策略附加到arn:aws:iam::657433956652:role/ecsTaskExecutionRole
从文档样本中,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}
推荐阅读
- python - 在多维网格中实现周期性边界条件
- system-verilog - SystemVerilog 2位寄存器解码问题
- c++ - 是否访问从联合中复制的联合中的一个成员,而另一个成员集未定义或未指定?
- collections - Jaspersoft Studio - 创建字符串集合
- php - PHP:Google OAuth2 刷新令牌是否需要在 cookie 中才能始终可用?
- r - Rstudio:如何使用 system() 行停止进程
- r - 如何从嵌套的 JSON 格式 API 内容创建简单的数据框
- encryption - 使用 .pem openssl 解密 .enc
- ios - 升级到 ios 13 时 xcodebuild 存档失败
- ios - 无法将结构变量设为可变类型