时间戳

首页 > 解决方案 > 附加到 EC2 实例的 IAM 策略规则是否重叠(&覆盖)附加到 EC2 内运行的 ECS 任务的策略规则?

amazon-web-services - 附加到 EC2 实例的 IAM 策略规则是否重叠(&覆盖)附加到 EC2 内运行的 ECS 任务的策略规则?

问题描述

下面是 EC2 实例所承担的角色:

"AScaleLaunchConfig": {
            "Type": "AWS::AutoScaling::LaunchConfiguration",
            "Properties":{
                …..
                "IamInstanceProfile": { "Ref": "EC2InstProfl” },
                …..
            }
        }


"EC2InstProfl": {
            "Type": "AWS::IAM::InstanceProfile",
            "Properties":{
                "Path": "/",
                "Roles": [ {  "Ref": "EC2InstRole" } ]
            }
        }


  "EC2InstRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                      {
                          "Effect": "Allow",
                          "Principal": { "Service": [ "ec2.amazonaws.com" ] },
                          "Action": [ "sts:AssumeRole" ]
                      }        
                    ]
                },
                "Path": "/",
                "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" ],
            }
        }

下面是SomeTaskRole分配给在该 EC2 实例中运行的任务(docker 容器):

"EcsTaskDef": {
            "Type": "AWS::ECS::TaskDefinition",
            "Properties":{
                "NetworkMode": "host",
                "TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole",
                "ContainerDefinitions": [
                    {
                        "Name": “someapp",
                        "Image": “someaccout/someimage:test",

                    }
                ]
            }
        }

哪里SomeTaskRole是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Description": “Allow access to all EC2/ELB/cloudformation/s3 and aim passrole",    
            …..
            "Resource": "*"
        },
        {
            "Description": “Assume iam User role“,
             ….. 
           "Effect": "Allow"
        },
        {
            "Description": “Assume xyz role across all accouts“,
             …..
            "Effect": "Allow"
        },
        {
            "Description": “Allow * access to all resource across n regions",
              ….
        },
        {
            "Description": “Deny delete permission on network related resources like Subnets/Route/VPC/VPN/IGW etc…*,
              ….
        },
        {
            "Description": “There are many such rules",
              ….
        }

    ]
}

如果EC2InstRole分配给 EC2 实例,则 Cloudformation 堆栈成功启动。

如果SomeTaskRole已分配给 EC2 实例EcsTaskDef EC2InstRole已分配给 EC2 实例,则 Cloudformation 堆栈启动会挂起数小时并出错。还没有找到确切的错误。如果我删除"TaskRoleArn": "arn:aws:iam::xxxxxxxxx:role/SomeTaskRole",则 CloudFormation 堆栈会成功启动。

1)

AWS IAM 服务是否允许两者?

为 ECS 任务分配角色

将角色分配给 EC2 实例?

2)

如果是,EC2 角色中给出的规则是否与 ECS 任务角色中给出的规则重叠(并覆盖)?

标签: amazon-web-servicesamazon-ec2amazon-cloudformationamazon-iamamazon-ecs

解决方案

ECS 任务仅获取分配给该任务的角色/权限。它没有从主机获得任何权限。

当您看到 CloudFormation 像这样“挂起”时,很可能是因为任务从未达到稳定状态。最简单的故障排除方法是查看 ECS 中失败的任务。为此,请打开 ECS 集群,选择任务选项卡并显示已停止的任务。打开一个,查看底部折叠的信息。那里通常有一些非常有用的信息。

推荐阅读