Amazon web services ECS任务的任务执行角色-Cloudformation
我正在尝试访问我使用aws控制台创建的IAM角色。这个角色很简单,因为我必须在ecs TaskExecutionRole中给出,这样它才有权从ECR中提取图像。我已经想出了这个代码我在这个代码中遗漏了什么Amazon web services ECS任务的任务执行角色-Cloudformation,amazon-web-services,amazon-cloudformation,amazon-iam,amazon-ecs,Amazon Web Services,Amazon Cloudformation,Amazon Iam,Amazon Ecs,我正在尝试访问我使用aws控制台创建的IAM角色。这个角色很简单,因为我必须在ecs TaskExecutionRole中给出,这样它才有权从ECR中提取图像。我已经想出了这个代码我在这个代码中遗漏了什么 Role: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Stat
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
2-如果我想创建一个新的任务执行角色,只允许从ECR中提取映像,我应该做什么更改?信任原则是ecs任务。amazonaws.com
:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
信任原则是ecs任务。amazonaws.com:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
谢谢Marcin,问题的第二部分呢?请help@Shifa安瑟更新了。但更简单的方法是只使用AWS管理的策略:
arn:AWS:iam::AWS:policy/service role/AmazonECSTaskExecutionRolePolicy
。您在评论中提到的arn已经构建,您正在使用它,对吗?@Shifa Yes。它由AWS提供。您可以访问IAM控制台、策略并按名称搜索。并检查它包含的内容。@Shifa没问题。让我知道它将如何进行,如果需要对角色进行一些调整。谢谢Marcin,问题的第二部分呢?请help@Shifa安瑟更新了。但更简单的方法是只使用AWS管理的策略:arn:AWS:iam::AWS:policy/service role/AmazonECSTaskExecutionRolePolicy
。您在评论中提到的arn已经构建,您正在使用它,对吗?@Shifa Yes。它由AWS提供。您可以访问IAM控制台、策略并按名称搜索。并检查它包含的内容。@Shifa没问题。让我知道它将如何进行,如果需要一些调整的作用。