Amazon web services AWS ECS:通过Cloudformation创建ECS服务时发生IAM相关错误
我正在尝试通过以下清单创建ECS服务:Amazon web services AWS ECS:通过Cloudformation创建ECS服务时发生IAM相关错误,amazon-web-services,amazon-cloudformation,amazon-ecs,Amazon Web Services,Amazon Cloudformation,Amazon Ecs,我正在尝试通过以下清单创建ECS服务: --- AWSTemplateFormatVersion: 2010-09-09 Description: 'CloudFormation template for ui service definition' Resources: UIService: Type: AWS::ECS::Service Properties: Cluster: !ImportValue MyCSClusterName Desir
---
AWSTemplateFormatVersion: 2010-09-09
Description: 'CloudFormation template for ui service definition'
Resources:
UIService:
Type: AWS::ECS::Service
Properties:
Cluster: !ImportValue MyCSClusterName
DesiredCount: 1
LaunchType: EC2
LoadBalancers:
- ContainerName: !ImportValue UIContainerName
ContainerPort: '80'
TargetGroupArn: !ImportValue UITGArn
Role: !Ref UIServiceRole
ServiceName: ui-service
ServiceRegistries:
- RegistryArn: arn:aws:servicediscovery:eu-west-1:4309430903:service/srv-oh45959hj55yesez7
TaskDefinition: !ImportValue UITaskArn
UIServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets',
'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer',
'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress']
Resource: '*'
通过amazon控制台创建失败,出现以下错误,我不知道是怎么回事
不能为需要服务链接角色的服务指定IAM角色
根据,有些人通过从清单中删除IAM角色来解决此错误(
角色:!Ref-UIServiceRole
)。也许值得一试?在大多数情况下,当您创建需要执行某些ECS活动的集群或角色时,ECS服务将使IAM角色AWSServiceRoleForECS。云形成有时会在时间上出现问题;有两种方法可以解决这个问题
(1) 在您的云信息中,确保ECSCluster具有访问ecs服务的IAM角色的依赖项;在您的示例中,DependsOn:UIServiceRole
另一种看起来更“恰当”的方法
(2) 在您的cloudformation中添加一个新资源作为
注意:服务链接角色是否已存在于帐户中,并且您定义了结构,您必须确保描述匹配(Cloudformation不支持更改描述)
与有关是,但根据本讨论,如果我的服务需要访问(由)ALB,则需要角色
ECSServiceLinkedRole:
Type: 'AWS::IAM::ServiceLinkedRole'
Properties:
AWSServiceName: ecs.amazonaws.com
Description: ECS Service Linked Role