Amazon web services Fargate任务AWSSecurityTokenService访问被拒绝
我正试图让普罗米修斯的CloudWatch Exporter作为Fargate任务运行。我正在使用基于Amazon web services Fargate任务AWSSecurityTokenService访问被拒绝,amazon-web-services,amazon-iam,prometheus,aws-fargate,Amazon Web Services,Amazon Iam,Prometheus,Aws Fargate,我正试图让普罗米修斯的CloudWatch Exporter作为Fargate任务运行。我正在使用基于prom/cloudwatch exporter映像烘焙的配置文件构建一个自定义映像 当容器出现时,我在日志中看到以下错误: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:拒绝访问(服务:AWSSecurityTokenService;状态代码:403;错误代码:拒绝访问;请求ID:请求ID
prom/cloudwatch exporter
映像烘焙的配置文件构建一个自定义映像
当容器出现时,我在日志中看到以下错误:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:拒绝访问(服务:AWSSecurityTokenService;状态代码:403;错误代码:拒绝访问;请求ID:请求ID)
产生该错误的调用如下所示:
位于com.amazonaws.services.cloudwatch.AmazonCloudWatchClient.listMetrics(AmazonCloudWatchClient.java:684)
任务执行角色和任务角色都具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
以下是容器定义:
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "LOG-GROUP",
"awslogs-region": "REGION",
"awslogs-stream-prefix": "LOG-PREFIX"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 9106,
"protocol": "tcp",
"containerPort": 9106
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"image": "ACCOUNTID.dkr.ecr.REGION.amazonaws.com/mycustomimage:latest",
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "container-name"
}
为什么容器没有基于IAM策略进行身份验证?安装程序中的所有其他策略似乎都按预期工作。集群可以从ECR repo中提取自定义映像,正在写入日志,等等。我找到了答案。CloudWatch Exporter允许您通过配置属性
角色\u arn
传递IAM角色arn。如果设置了此值,则应用程序将使用STSAssumeRoleSessionCredentialsProvider
建立凭据。Fargate显然不支持这一点(这种方法适用于基于EC2的ECS容器)。如果您关闭role\u arn
,则应用程序将创建一个具有默认设置的新客户端,该客户端使用DefaultAWSCredentialsProviderChain
类,这就像一个符咒一样工作。DefaultAWSCredentialsProviderChain仅当资源位于同一帐户中时才起作用。如何使用IAM角色支持Fargate中的跨帐户访问?