我正在尝试在 Cloudformation 中创建批量设置。我在资源中有一个 IAM 角色:
SecretsAndS3AccessRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: batch.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
然后在我的 JobDefinition 中我有:
JobDefinition:
Type: 'AWS::Batch::JobDefinition'
Properties:
Type: container
ContainerProperties:
Image: public.ecr.aws/l0v4l2q2/rapidtide-cloud
Vcpus: 2
Memory: 2000
Command:
- /simple-test
Privileged: true
JobRoleArn: !Ref SecretsAndS3AccessRole
ExecutionRoleArn: !Ref SecretsAndS3AccessRole
Secrets:
- Name: MY_SECRET
ValueFrom: arn:aws:secretsmanager:us-east-1:123456789:secret:MYSECRET-zSQVSQ
RetryStrategy:
Attempts: 1
当我尝试构建堆栈时,我得到:
An error occurred (ClientException) when calling the RegisterJobDefinition operation: Error executing request, Exception : executionRoleArn bothrefs-SecretsAndS3AccessRole-1INAOWFBH2SK2 is not an iam role arn
如果我删除 ExecutionRoleArn 行和 Secrets,堆栈构建得很好,也就是说 JobRoleArn 对 !Ref SecretsAndS3AccessRole 的值感到满意。 (但我需要 secret ,并且要使用 secret ,您需要执行角色。)如果我在那里对 ARN 进行硬编码,它就可以正常工作。
ExecutionRoleArn 有何不同之处,它不允许 !Ref?根据 the documentation for JobDefinition/ContainerProperties , JobRoleArn 和 ExecutionRoleArn 似乎是同一类型的对象。
最佳答案
!Ref 返回资源的逻辑 ID,而不是 ARN。
You need to use !GetAtt.
这应该有效:
ExecutionRoleArn: !GetAtt SecretsAndS3AccessRole.Arn
关于amazon-web-services - 无法使用 !Ref 在 Cloudformation 中创建 AWS Batch JobDefinition JobRoleArn,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73871699/