【发布时间】:2020-08-29 02:45:41
【问题描述】:
我有一个作业,在提交到 Batch 服务后,从 RUNNABLE 变为 FAILED 状态,并带有以下作业状态错误消息(来自 AWS 控制台):
ECS was unable to assume the role 'arn:aws:iam::347134692569:role/my-custom-role' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.
上面提到的角色由 Terraform 管理,带有两个策略附件(AWSBatchServiceRole 和 AmazonEC2ContainerServiceforEC2Role),如下所示:
resource "aws_iam_role" "batch" {
name = "my-custom-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement":
[
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "batch.amazonaws.com"
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
}
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
}
}
]
}
EOF
tags = {
Terraform = "true"
}
}
# attach a policy to the role that allows using AWS Batch service
resource "aws_iam_role_policy_attachment" "batch_service_role" {
role = data.aws_iam_role.batch.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole"
}
# attach a policy to the role that allows using AWS Elastic Container service
resource "aws_iam_role_policy_attachment" "elastic_container_service_role" {
role = aws_iam_role.batch.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}
上述角色既作为计算环境的服务角色,也作为作业定义的作业角色。
以上内容似乎没有提供足够的权限来启用担任角色和/或必要的信任关系。我还能尝试什么来克服这个错误?
【问题讨论】:
-
该错误似乎与您用于创建批处理作业的 IAM 用户或角色有关,缺少
iam:PassRole权限。您可以为自己或您使用的角色添加缺少的PassRole权限,然后检查。 -
另一种可能是需要在信任策略中获得
ecs-tasks.amazonaws.com的权限才能担任该角色。 -
感谢您的帮助,@Marcin。为
ecs-tasks添加承担角色就可以了。我很好奇,我自己是怎么想出来的?我在任何示例/教程/文档中都没有看到任何关于此的内容。 -
很高兴听到。如果您不介意,我会添加一个答案以供将来参考。
标签: amazon-web-services terraform terraform-provider-aws aws-batch