我正在尝试将敏感数据传递给在 ECS 服务中运行的容器。我一直在关注 AWS 文档以了解如何执行此操作(链接)。我做了以下事情:
my-param在 SSM 参数存储中定义- 创建一个TaskRole(见下文)
- 在任务的 ExecutionRole 中使用 TaskRole
- 将环境变量添加到容器实例
这是任务定义:
Description: >
An IAM Role that gives tasks access to SSM Parameter store.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html
Resources:
TaskRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ecs-task-role-${AWS::StackName}
Path: /
AssumeRolePolicyDocument: |
{
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
"Action": [ "sts:AssumeRole" ]
}]
}
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: !Sub ecs-task-role-${AWS::StackName}
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/my-param"
]
}
]
}
Outputs:
TaskRole:
Description: An IAM Role that gives tasks read access to SSM Parameter store parameters.
Value: !Ref TaskRole
这是我使用此角色的任务定义:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: backend
ExecutionRoleArn: !Ref TaskRole <--- TaskRole is passed in as a parameter
ContainerDefinitions:
- Name: backend
Essential: true
Image: !Ref ImageUrl
MemoryReservation: 128
Command:
- '/start_prod.sh'
Secrets: <-- here is where I'm trying to access the parameter
- Name: MY_PARAM
ValueFrom: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/my-param"
Environment:
- Name: GIT_SHA
Value: !Ref GitSHA
在我CloudFormation::Init的 LaunchConfiguration 元数据中,我添加了以下内容:
03_enable_awslogs_executionrole_override:
command: echo ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE=true >> /etc/ecs/ecs.config
当我更新堆栈时,它似乎挂起,然后最终回滚并failed to stabilize在服务上出现错误,其中我有一个任务正在尝试使用我定义的 TaskRole。
该项目的源代码在这里:https ://gitlab.com/verbose-equals-true/django-postgres-vue-gitlab-ecs