typescript - 如何向 Fargate JobDefinition 授予对 s3 和 DynamoDB 的访问权限？

我正在开发一个 CDK 堆栈，用于配置需要访问 S3 和 DynamoDB 的 AWS Batch Fargate 作业。我授予了对 executionRole 的访问权限。但是当我运行 Job 时，它无法访问 s3，并显示以下错误消息:

Unable to get IAM security credentials from EC2 Instance Metadata Service

这是代码:

import { ComputeEnvironment, ComputeResourceType, JobDefinition, JobQueue, PlatformCapabilities } from "@aws-cdk/aws-batch-alpha";
import { Duration, Stack, StackProps } from "aws-cdk-lib";
import { ITable } from "aws-cdk-lib/aws-dynamodb";
import { IVpc } from "aws-cdk-lib/aws-ec2";
import { ContainerImage } from "aws-cdk-lib/aws-ecs";
import { ManagedPolicy, PolicyDocument, PolicyStatement, Role, ServicePrincipal } from "aws-cdk-lib/aws-iam";
import { IBucket } from "aws-cdk-lib/aws-s3";
import { Construct } from "constructs";
import { stage } from "..";

export interface CapsJobStackProps extends StackProps {
    mainBucket: IBucket;
    capsTable: ITable;
    vpc: IVpc
}

export class CapsJobStack extends Stack {
    constructor(scope: Construct, id: string, private props: CapsJobStackProps) {
      super(scope, id, props);

      const computeEnvironment = new ComputeEnvironment(this, 'CapsComputeEnvironment', {
        computeResources: {
          type: ComputeResourceType.FARGATE,
          vpc: props.vpc,
          maxvCpus: 2
        },
      });

      const jobQueue = new JobQueue(this, 'CapsJobQueue', {
        computeEnvironments: [{computeEnvironment, order: 1}]
      });

      const jobRole = new Role(this, 'CapsJobRole', {
        assumedBy: new ServicePrincipal("ecs-tasks.amazonaws.com"),
        inlinePolicies: {
          EcsTask: new PolicyDocument({
            statements: [
              new PolicyStatement({
                actions: ["ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ],
                resources: ["*"]
              })
            ]
          })
        }
      });
      props.capsTable.grantReadWriteData(jobRole);
      props.mainBucket.grantReadWrite(jobRole);

      const jobDefinition = new JobDefinition(this, 'CapsJob', {
        container: {
          image: ContainerImage.fromAsset('../src/Caps.Uploader', {
            file: 'DockerfileCdk'
          }),
          environment: {
            "OD_ENVIRONMENT": stage,
            "OD_BUCKET": props.mainBucket.bucketName,
            "OD_CAPSTABLE": props.capsTable.tableName
          },
          executionRole: jobRole,
          vcpus: 0.25,
          memoryLimitMiB: 512
        },
        timeout: Duration.days(1),
        retryAttempts: 3,
        platformCapabilities: [PlatformCapabilities.FARGATE]
      });
    }
}

我缺少什么？如何向作业授予 s3 和 DynamoDB 访问权限？

最佳答案

executionRole 用于 ECS 服务本身能够执行的操作，例如访问 ECR。您必须使用task role 。在 CDK 中，这是 jobRole .

关于typescript - 如何向 Fargate JobDefinition 授予对 s3 和 DynamoDB 的访问权限？，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/73264047/

typescript - 如何向 Fargate JobDefinition 授予对 s3 和 DynamoDB 的访问权限？

上一篇：vim - 将条件 vimscript 映射转换为 lua (neovim) (在 lua 中提交 <CR>)

下一篇：tailwind-css - 如何在表格内制作自动包装？