我有一个资源定义
APITaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
...
ExecutionRoleArn:
<RoleADefinition here>
...
TaskRoleArn:
<RoleBDefinition here>
...
这将是非常好的,因为这些角色只会由该资源APITaskDefinition使用,并且被认为是为每个需要一个的资源使用特定角色的最佳实践
我不相信我们可以用CloudFormation做到这一点。
标准做法是将所有资源定义在一个模板中,并引用它
EcsTaskExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-taskExecution
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:BatchGetImage'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
和!GetAtt EcsTaskExecutionRole.Ann
ContainerTaskdefinition:
Type: 'AWS::ECS::TaskDefinition'
Properties:
Family: !Ref 'AWS::StackName'
ExecutionRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
TaskRoleArn: !GetAtt EcsTaskExecutionRole.Arn <-- refer to task Arn
Cpu: '256'
Memory: 1GB
NetworkMode: awsvpc
RequiresCompatibilities:
- EC2
- FARGATE
ContainerDefinitions:
- Name: !Ref 'AWS::StackName'
Cpu: 10
Essential: 'true'
Image: !Ref Image
Memory: '1024'
然而,使用AWS CDK,我们可以使用更高级别的构造,在大多数情况下,该构造会创建具有默认权限的角色,并且可以轻松添加所需的额外权限,当编译时会创建上述云信息。这里是ECS构造