amazon-web-services - ECS Fargate 服务 - 谁需要访问 KMS 以获取 Secrets？

问题描述

我正在尝试设置将使用 MySQL 和 Webserver 运行单个任务的 ECS 服务。我想将一些运行时参数作为环境变量从SSM Parameter Store. 其中一些将是纯文本，但有些将使用KMS. 所以假设我有以下任务定义：

{
  "ipcMode": null,
  "executionRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
  "containerDefinitions": [
    {
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/wordpress-test",
          "awslogs-region": "eu-central-1",
          "awslogs-stream-prefix": "ecs"
        }
      },
      "entryPoint": null,
      "portMappings": [
        {
          "hostPort": 80,
          "protocol": "tcp",
          "containerPort": 80
        }
      ],
      "memoryReservation": 512,
      "name": "wordpress"
    },
    {
      "dnsSearchDomains": null,
      "logConfiguration": {
        "logDriver": "awslogs",
        "secretOptions": null,
        "options": {
          "awslogs-group": "/ecs/wordpress-test",
          "awslogs-region": "eu-central-1",
          "awslogs-stream-prefix": "ecs"
        }
      },
      "secrets": [
        {
          "valueFrom": "arn:aws:ssm:eu-central-1:657433956652:parameter/project/dev/db.connection.default.password",
          "name": "MYSQL_ROOT_PASSWORD"
        }
      ],
      "memoryReservation": 512,
      "name": "mysql"
    }
  ],
  "placementConstraints": [],
  "memory": "1024",
  "taskRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
  "compatibilities": [
    "FARGATE"
  ],
  "taskDefinitionArn": "arn:aws:ecs:eu-central-1:657433956652:task-definition/wordpress-test:1",
  "family": "wordpress-test",
  "networkMode": "awsvpc",
  "cpu": "512",
}

问题是：哪个角色应该获得对SSM Parameter Store用于加密SecureStrings 参数的读取和密钥的访问权限？实际动态创建服务的应该是 Service、Cluster 还是 Pipeline？

标签： amazon-web-servicesamazon-iamaws-fargateaws-kms