我正在使用cloudformation模板创建ECS任务定义。针对ecs的所有必需权限都授予了我的用户。如所示
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSManageRole",
"Effect": "Allow",
"Action": [
"ecs:UpdateTaskSet",
"ecs:UpdateServicePrimaryTaskSet",
"ecs:UpdateService",
"ecs:UpdateContainerInstancesState",
"ecs:UpdateContainerAgent",
"ecs:UpdateCapacityProvider",
"ecs:TagResource",
"ecs:Submit*",
"ecs:StopTask",
"ecs:StartTelemetrySession",
"ecs:StartTask",
"ecs:RunTask",
"ecs:RegisterTaskDefinition",
"ecs:PutClusterCapacityProviders",
"ecs:ListTasks",
"ecs:ListTaskDefinitions",
"ecs:ListTaskDefinitionFamilies",
"ecs:ListServices",
"ecs:ListContainerInstances",
"ecs:ListClusters",
"ecs:ExecuteCommand",
"ecs:DescribeTasks",
"ecs:DescribeTaskDefinition",
"ecs:DescribeServices",
"ecs:DescribeContainerInstances",
"ecs:DescribeClusters",
"ecs:DescribeCapacityProviders",
"ecs:DeregisterTaskDefinition",
"ecs:DeregisterContainerInstance",
"ecs:DeleteTaskSet",
"ecs:DeleteService",
"ecs:CreateTaskSet",
"ecs:CreateService",
"ecs:CreateCapacityProvider"
],
"Resource": "arn:aws:ecs:us-east-1:XXX:*"
},
{
"Sid": "ECSReadRole",
"Effect": "Allow",
"Action": [
"ecs:List*",
"ecs:Describe*"
],
"Resource": "arn:aws:ecs:us-east-1:XXX:*"
}
]
}
但是仍然会出现这个错误。(注意:在写入/读取部分,操作是重复的,但不应影响此操作(
ECS Task definition error nvalid request provided: Create TaskDefinition: User: arn:aws:sts::XXX:assumed-role/ADO_ROLE/aws-vsts-tools is not authorized to perform: ecs:RegisterTaskDefinition on resource: * because no identity-based policy allows the ecs:RegisterTaskDefinition action
这是因为资源一些动作需要资源"*"[所有资源]而不是特定资源我们可以选择此操作的所有资源&可以解决这个问题