我正在开发一个 CDK 堆栈,用于配置需要访问 S3 和 DynamoDB 的 AWS Batch Fargate 作业。我授予了对 executionRole
的访问权限。但是当我运行 Job 时,它无法访问 s3,并显示以下错误消息:
Unable to get IAM security credentials from EC2 Instance Metadata Service
这是代码:
import { ComputeEnvironment, ComputeResourceType, JobDefinition, JobQueue, PlatformCapabilities } from "@aws-cdk/aws-batch-alpha";
import { Duration, Stack, StackProps } from "aws-cdk-lib";
import { ITable } from "aws-cdk-lib/aws-dynamodb";
import { IVpc } from "aws-cdk-lib/aws-ec2";
import { ContainerImage } from "aws-cdk-lib/aws-ecs";
import { ManagedPolicy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
import { IBucket } from "aws-cdk-lib/aws-s3";
import { Construct } from "constructs";
import { stage } from "..";
export interface CapsJobStackProps extends StackProps {
mainBucket: IBucket;
capsTable: ITable;
vpc: IVpc
}
export class CapsJobStack extends Stack {
constructor(scope: Construct, id: string, private props: CapsJobStackProps) {
super(scope, id, props);
const computeEnvironment = new ComputeEnvironment(this, 'CapsComputeEnvironment', {
computeResources: {
type: ComputeResourceType.FARGATE,
vpc: props.vpc,
maxvCpus: 2
},
});
const jobQueue = new JobQueue(this, 'CapsJobQueue', {
computeEnvironments: [{computeEnvironment, order: 1}]
});
const jobRole = new Role(this, 'CapsJobRole', {
assumedBy: new ServicePrincipal("ecs-tasks.amazonaws.com"),
inlinePolicies: {
EcsTask: new PolicyDocument({
statements: [
new PolicyStatement({
actions: ["ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ],
resources: ["*"]
})
]
})
}
});
props.capsTable.grantReadWriteData(jobRole);
props.mainBucket.grantReadWrite(jobRole);
const jobDefinition = new JobDefinition(this, 'CapsJob', {
container: {
image: ContainerImage.fromAsset('../src/Caps.Uploader', {
file: 'DockerfileCdk'
}),
environment: {
"OD_ENVIRONMENT": stage,
"OD_BUCKET": props.mainBucket.bucketName,
"OD_CAPSTABLE": props.capsTable.tableName
},
executionRole: jobRole,
vcpus: 0.25,
memoryLimitMiB: 512
},
timeout: Duration.days(1),
retryAttempts: 3,
platformCapabilities: [PlatformCapabilities.FARGATE]
});
}
}
我缺少什么?如何向作业授予 s3 和 DynamoDB 访问权限?
最佳答案
关于typescript - 如何向 Fargate JobDefinition 授予对 s3 和 DynamoDB 的访问权限?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73264047/