我创建以下 CloudFormation 模板文件来创建 ECS 集群和任务定义、服务,但出现错误。 这些设置出了什么问题?
- 使用以下模板创建 ECS 服务时,出现
请验证传递的 ECS 服务角色是否具有适当的权限
- 创建不带属性的模板时
Role: !ImportValue "IAMRoleECSService"
不会发生错误,但不会从CREATE_IN_PROGRESS
完成
ECSApplicationService:
Type: "AWS::ECS::Service"
DependsOn:
- "ECSApplicationCluster"
- "ECSApplicationTaskDefinition"
Properties:
Cluster: !Ref "ECSApplicationCluster"
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 50
DesiredCount: 4
LoadBalancers:
- ContainerName: !Ref "ContainerAppName"
ContainerPort: 80
TargetGroupArn: !ImportValue "ALBTargetGroup"
Role: !ImportValue "IAMRoleECSService"
ServiceName: "ecs-application-service"
TaskDefinition: !Ref "ECSApplicationTaskDefinition"
IAMRoleECSService:
Type: "AWS::IAM::Role"
Properties:
RoleName: "ecs-service"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ecs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "ec2-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:Describe*"
Resource: "*"
- PolicyName: "alb-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
- "elasticloadbalancing:DeregisterTargets"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticloadbalancing:DescribeTargetHealth"
- "elasticloadbalancing:Describe*"
- "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
- "elasticloadbalancing:RegisterTargets"
Resource: "*"
我应该做什么?
最佳答案
更新: 截至 2018 年 7 月 19 日,现在可以使用 CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html 创建 IAM 服务相关角色.
EcsServiceLinkedRole:
Type: "AWS::IAM::ServiceLinkedRole"
Properties:
AWSServiceName: "ecs.amazonaws.com"
Description: "Role to enable Amazon ECS to manage your cluster."
旧答案: ECS 现在依赖 Service-Linked Roles而不是正常的角色。确保您已使用以下方式为帐户创建它:
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
然后从 IAMRoleECSService
中删除 Role
参数,因为不再需要它。
关于amazon-web-services - 无法通过CloudFormation创建ECS服务,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47635331/