我正在使用AWS CDK建立一个新的基础设施,我正试图让一个TypeScript应用程序在Fargate中运行,以便能够从DynamoDB表中读/写,但遇到了IAM问题。
我已经定义了我的Fargate服务和DynamoDB表,它们都在AWS中正常运行,但每当我试图从应用程序写入表时,我都会收到一个拒绝访问的错误。
我已经尝试了这篇文章中定义的解决方案,以及它链接到的那些解决方案,但似乎没有任何东西允许我的容器写入表。我已经尝试了从设置table.grantReadWriteData(fargateService.taskDefinition.taskRole)到定义我自己的IAM策略以及设置效果和操作的链接文章中描述的更复杂的解决方案的所有方法,但在尝试执行putItem:时,我总是会遇到相同的拒绝访问错误
AccessDeniedException:用户:{fargate service arn}未被授权对资源:{generandb table}执行:generandb:PutItem,因为没有基于身份的策略允许generandb:PutItem操作
我是错过了什么,还是错过了实现这一目标的关键一步?
非常感谢您的帮助。
谢谢!
编辑(2022-09-19(:
以下是我如何定义Vpc、Cluster、Container Image、FargateService和Table的简单代码。
export class FooCdkStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new Vpc(this, 'FooVpc', {
maxAzs: 2,
natGateways: 1
});
const cluster = new Cluster(this, 'FooCluster', { vpc });
const containerImage = ContainerImage.fromAsset(
path.join(__dirname, '/../app'),
{
platform: Platform.LINUX_AMD64 // I'm on an M1 Mac and images weren't working appropriately without this
}
);
const fargateService = new ApplicationLoadBalancedFargateService(
this,
'FooFargateService',
{
assignPublicIp: true,
cluster,
memoryLimitMiB: 1024,
cpu: 512,
desiredCount: 1,
taskImageOptions: {
containerPort: PORT,
image: containerImage
}
}
);
fargateService.targetGroup.configureHealthCheck({ path: '/health' });
const serverTable = new Table(this, 'FooTable', {
billingMode: BillingMode.PAY_PER_REQUEST,
removalPolicy: cdk.RemovalPolicy.DESTROY,
partitionKey: { name: 'id', type: AttributeType.STRING },
pointInTimeRecovery: true
});
serverTable.grantReadWriteData(fargateService.taskDefinition.taskRole);
}
}
显然,资源的定义顺序很重要,或者在Fargate服务中包含表中的属性才是关键。我将表定义移到了Fargate服务之上,并包含了一个包含表名的环境变量,现在它可以按预期工作了。
export class FooCdkStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = new Vpc(this, 'FooVpc', {
maxAzs: 2,
natGateways: 1
});
const cluster = new Cluster(this, 'FooCluster', { vpc });
const containerImage = ContainerImage.fromAsset(
path.join(__dirname, '/../app'),
{
platform: Platform.LINUX_AMD64 // I'm on an M1 Mac and images weren't working appropriately without this
}
);
const serverTable = new Table(this, 'FooTable', {
billingMode: BillingMode.PAY_PER_REQUEST,
removalPolicy: cdk.RemovalPolicy.DESTROY,
partitionKey: { name: 'id', type: AttributeType.STRING },
pointInTimeRecovery: true
});
const fargateService = new ApplicationLoadBalancedFargateService(
this,
'FooFargateService',
{
assignPublicIp: true,
cluster,
memoryLimitMiB: 1024,
cpu: 512,
desiredCount: 1,
taskImageOptions: {
containerPort: PORT,
image: containerImage,
environment: {
SERVER_TABLE_NAME: serverTable.tableName
}
}
}
);
fargateService.targetGroup.configureHealthCheck({ path: '/health' });
serverTable.grantReadWriteData(fargateService.taskDefinition.taskRole);
}
}
希望这能帮助将来可能遇到同样问题的人。