Fatal编程技术网
  • amazon-web-services/
  • Amazon web services AWS ECS:通过Cloudformation创建ECS服务时发生IAM相关错误

Amazon web services AWS ECS:通过Cloudformation创建ECS服务时发生IAM相关错误

amazon-web-services amazon-cloudformation

Amazon web services AWS ECS:通过Cloudformation创建ECS服务时发生IAM相关错误,amazon-web-services,amazon-cloudformation,amazon-ecs,Amazon Web Services,Amazon Cloudformation,Amazon Ecs,我正在尝试通过以下清单创建ECS服务: --- AWSTemplateFormatVersion: 2010-09-09 Description: 'CloudFormation template for ui service definition' Resources: UIService: Type: AWS::ECS::Service Properties: Cluster: !ImportValue MyCSClusterName Desir

我正在尝试通过以下清单创建ECS服务:

---
AWSTemplateFormatVersion: 2010-09-09
Description: 'CloudFormation template for ui service definition'
Resources:

  UIService:
    Type: AWS::ECS::Service
    Properties:
      Cluster: !ImportValue MyCSClusterName
      DesiredCount: 1
      LaunchType: EC2
      LoadBalancers:
        - ContainerName: !ImportValue UIContainerName
          ContainerPort: '80'
          TargetGroupArn: !ImportValue UITGArn
      Role: !Ref UIServiceRole
      ServiceName: ui-service
      ServiceRegistries:
       - RegistryArn: arn:aws:servicediscovery:eu-west-1:4309430903:service/srv-oh45959hj55yesez7
      TaskDefinition: !ImportValue UITaskArn


  UIServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: [ecs.amazonaws.com]
          Action: ['sts:AssumeRole']
      Path: /
      Policies:
      - PolicyName: ecs-service
        PolicyDocument:
          Statement:
          - Effect: Allow
            Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets',
              'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer',
              'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress']
            Resource: '*'
通过amazon控制台创建失败,出现以下错误,我不知道是怎么回事

不能为需要服务链接角色的服务指定IAM角色

根据,有些人通过从清单中删除IAM角色来解决此错误(
角色:!Ref-UIServiceRole
)。也许值得一试?

在大多数情况下,当您创建需要执行某些ECS活动的集群或角色时,ECS服务将使IAM角色AWSServiceRoleForECS。云形成有时会在时间上出现问题;有两种方法可以解决这个问题

(1) 在您的云信息中,确保ECSCluster具有访问ecs服务的IAM角色的依赖项;在您的示例中,
DependsOn:UIServiceRole

另一种看起来更“恰当”的方法 (2) 在您的cloudformation中添加一个新资源作为

注意:服务链接角色是否已存在于帐户中,并且您定义了结构,您必须确保描述匹配(Cloudformation不支持更改描述)

有关是,但根据本讨论,如果我的服务需要访问(由)ALB,则需要角色 
  ECSServiceLinkedRole:
    Type: 'AWS::IAM::ServiceLinkedRole'
    Properties:
      AWSServiceName: ecs.amazonaws.com
      Description: ECS Service Linked Role