我是Terraform的新手,我正在尝试将Docker映像从AWS ECR部署到ECS。但是,我收到以下错误。有人能帮忙解决这个问题吗?
ResourceInitializationError: unable to pull secrets or registry auth:
execution resource retrieval failed: unable to retrieve ecr registry
auth: service call has been retried 1 time(s):
AccessDeniedException: User: arn:aws:sts::AccountID:assumed-role/ecsExecution-1/25d077c2af604f4e93feead72a141e3g is not authorized to perform:
ecr:GetAuthorizationToken on resource: *
because no identity-based policy allows the
ecr:GetAuthorizationToken action
status code: 400, request id: 1a1bee4c-5ab6-4b44-bbf8-5586edea6b3g*
这是我的代码
resource "aws_ecs_cluster" "first-cluster" {
name = "test-docker-deploy"
}
resource "aws_ecs_task_definition" "first-task" {
family = "first-task"
container_definitions = <<TASK_DEFINITION
[
{
"name": "first-task",
"image": "899696473236.dkr.ecr.us-east-1.amazonaws.com/first-repo:nginx-demo",
"cpu": 256,
"memory": 512,
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80
}
]
}
]
TASK_DEFINITION
requires_compatibilities = ["FARGATE"]
network_mode = "awsvpc"
cpu = 256
memory = 512
execution_role_arn = "${aws_iam_role.Execution_Role.arn}"
}
resource "aws_iam_role" "Execution_Role" {
name = "ecsExecution-1"
assume_role_policy = "${data.aws_iam_policy_document.role_policy.json}"
}
data "aws_iam_policy_document" "role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
resource "aws_ecs_service" "first-service"{
name = "docker-service"
cluster = "${aws_ecs_cluster.first-cluster.id}"
task_definition = "${aws_ecs_task_definition.first-task.arn}"
launch_type = "FARGATE"
desired_count = 1
network_configuration {
subnets = ["${aws_default_subnet.subnet-a.id}"]
assign_public_ip = true
}
}
resource "aws_default_vpc" "default" {
}
resource "aws_default_subnet" "subnet-a" {
availability_zone = "us-east-1a"
}
除了具有假定角色策略(即权限或信任策略(外,还需要具有执行策略[1]。前者说允许ECS任务在后台担任该角色,后者说ECS任务担任该角色时可以做什么。因此,权限策略是正确的,但您需要以下代码才能工作(即ecs_task_policy(:
data "aws_iam_policy_document" "ecs_task_policy" {
statement {
sid = "EcsTaskPolicy"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
]
resources = [
"*" # you could limit this to only the ECR repo you want
]
}
statement {
actions = [
"ecr:GetAuthorizationToken"
]
resources = [
"*"
]
}
statement {
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = [
"*"
]
}
}
resource "aws_iam_role" "Execution_Role" {
name = "ecsExecution-1"
assume_role_policy = data.aws_iam_policy_document.role_policy.json
inline_policy {
name = "EcsTaskExecutionPolicy"
policy = data.aws_iam_policy_document.ecs_task_policy.json
}
}
data "aws_iam_policy_document" "role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
还要注意的是,根据您用于任务的Docker映像内部的内容,可能需要向执行策略添加更多的AWS权限。ECR回购访问可以被限制为Docker镜像所在的ECR回购的ARN。理论上,此时可能不需要日志权限,但如果您想查看是否存在任何错误,则需要将日志发送到某个位置。如果需要,还必须将logConfiguration部分添加到任务定义中[2]。
[1]https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.html
[2]https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html#create_awslogs_loggroups