我有带fargate的ECS服务,它有两个容器
我有IAM角色arn:aws:IAM::468589876897:角色/app/我的测试应用程序,这个角色被添加到我的ecs task_role和execution_role
此外,我有一个路径为/myapp/secret/key_1-zbv0eq的秘密,它具有类似下面的权限
"Effect":"Deny",
"action" : "secretsmanager:getsecretvalue", "resource" : "*", "condition" : { "arnnotlike" : { "aws:principalarn" : [ "arn:aws:iam::468589876897:role/app/my-test-app" ] } } }
我有下面的代码来阅读我的秘密管理员
String secretName = "/myapp/secret/key_1-zbv0eq";
String endpoint = "secretsmanager.us-west-2.amazonaws.com";
String region = "us-west-2";
AwsClientBuilder.EndpointConfiguration config = new AwsClientBuilder.EndpointConfiguration(endpoint, region);
AWSSecretsManagerClientBuilder clientBuilder = AWSSecretsManagerClientBuilder.standard();
clientBuilder.setEndpointConfiguration(config);
AWSSecretsManager client = clientBuilder.build();
String secret;
ByteBuffer binarySecretData;
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName).withVersionStage("AWSCURRENT");
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch(ResourceNotFoundException e) {
System.out.println("The requested secret " + secretName + " was not found");
} catch (InvalidRequestException e) {
System.out.println("The request was invalid due to: " + e.getMessage());
} catch (InvalidParameterException e) {
System.out.println("The request had invalid params: " + e.getMessage());
}
// Depending on whether the secret was a string or binary, one of these fields will be populated
if(getSecretValueResult.getSecretString() != null) {
secret = getSecretValueResult.getSecretString();
System.out.println(secret);
}
else {
binarySecretData = getSecretValueResult.getSecretBinary();
System.out.println(binarySecretData.toString());
}
}
当我运行此代码时,我得到以下错误,
user: arn:aws:sts::468589876897:assumed-role/my-test-app/41810bc3cf2b4c99ad87f641810bc3cf
is not authorized to perform: secretsmanager:getsecretvalue on resource:
/myapp/secret/key_1-zbv0eq (service: awssecretsmanager; status code: 400; error code: accessdeniedexception; request id: 8254cdd0-3ce4-4485-bcd8-8af4b08e6fa2
我不确定这个角色是如何使用的arn:aws:sts::468589876897:假定的角色/我的测试应用程序/41810bc3cf2b4c99ad87f641810bc3cf而不是arn:aws:iam::468587876897:角色/应用程序/我的检测应用程序
我在AWS控制台上仔细检查了一下,ECS任务有一个task_iam_role,容器定义中显示的执行角色是arn:AWS:iam::468589876897:角色/app/my测试应用
可能缺少什么?
为了检索凭据,您的环境必须能够访问aws密钥管理器。这是通过IAM角色提供的,在您使用的策略中";拒绝";而不是";允许"获取机密值";方法将返回一个json,该json将具有字典格式的所有凭据。您收到的错误表明您无权访问您的环境。我认为更改您的策略将完成您的工作(更改为"允许"获取机密方法,如果您正在使用任何其他服务,也允许其他服务访问,或者您可以使用机密管理器读写内置的AWS策略(