【发布时间】:2021-06-10 15:44:03
【问题描述】:
我有一个在 aws fargate 中运行的 docker 容器。它需要访问参数存储来获取一些参数。当我运行它时,它在以下代码上失败:
ssm = boto3.client('ssm', region_name='us-east-1')
def get_ssm_parameter(name: str, with_decryption=False) -> str:
try:
response = ssm.get_parameter(
Name=name,
WithDecryption=with_decryption)
parameter = response['Parameter']['Value']
except ClientError as error:
print(error.response['Error']['Code'])
raise
return parameter
我拥有 ecs 任务的 IAM 角色,该角色具有以下策略:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
我相信 boto3 无法找到 aws 凭据,这就是它引发错误的原因。我还尝试将AmazonSSMFullAccess 策略附加到 ecs 角色,但它仍然给出相同的错误。似乎无法理解为什么。我不想在代码中硬编码凭证并寻找一种使用 IAM 角色来提供对参数存储的访问权限的方法。
更新:
我在任务定义中添加了这样的秘密:
"secrets": [
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME",
"name": "MONGODB_USERNAME"
},
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"name": "MONGODB_PWD"
}
我还在我的 ecs 角色中添加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
现在我得到一个不同的错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::633157335118:assumed-role/ecsTaskExecutionRole/9620073221dc4c118ee500f2834898ce is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME
【问题讨论】: