Amazon web services Fargate任务AWSSecurityTokenService访问被拒绝
我正试图让普罗米修斯的CloudWatch Exporter作为Fargate任务运行。我正在使用基于Amazon web services Fargate任务AWSSecurityTokenService访问被拒绝,amazon-web-services,amazon-iam,prometheus,aws-fargate,Amazon Web Services,Amazon Iam,Prometheus,Aws Fargate,我正试图让普罗米修斯的CloudWatch Exporter作为Fargate任务运行。我正在使用基于prom/cloudwatch exporter映像烘焙的配置文件构建一个自定义映像 当容器出现时,我在日志中看到以下错误: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:拒绝访问(服务:AWSSecurityTokenService;状态代码:403;错误代码:拒绝访问;请求ID:请求ID
prom/cloudwatch exporter{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
}
]
}
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "LOG-GROUP",
"awslogs-region": "REGION",
"awslogs-stream-prefix": "LOG-PREFIX"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 9106,
"protocol": "tcp",
"containerPort": 9106
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"image": "ACCOUNTID.dkr.ecr.REGION.amazonaws.com/mycustomimage:latest",
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "container-name"
}
为什么容器没有基于IAM策略进行身份验证?安装程序中的所有其他策略似乎都按预期工作。集群可以从ECR repo中提取自定义映像,正在写入日志,等等。我找到了答案。CloudWatch Exporter允许您通过配置属性
角色\u arnSTSAssumeRoleSessionCredentialsProviderrole\u arnDefaultAWSCredentialsProviderChain