我有一个docker容器在aws-fargate中运行。它需要访问参数存储来获取一些参数。当我运行它时,它在以下代码上失败:
ssm = boto3.client('ssm', region_name='us-east-1')
def get_ssm_parameter(name: str, with_decryption=False) -> str:
try:
response = ssm.get_parameter(
Name=name,
WithDecryption=with_decryption)
parameter = response['Parameter']['Value']
except ClientError as error:
print(error.response['Error']['Code'])
raise
return parameter
我在ecs任务中担任IAM角色,该任务具有以下策略:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
我相信boto3找不到aws凭据,这就是它引发错误的原因。我还尝试将AmazonSSMFullAccess策略附加到ecs角色,但它仍然给出相同的错误。似乎不明白为什么。我不想对代码中的凭据进行硬编码,也不想寻找使用IAM角色来访问参数存储的方法。
更新:
我在任务定义中添加了这样的秘密:
"secrets": [
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME",
"name": "MONGODB_USERNAME"
},
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"name": "MONGODB_PWD"
}
我还为我的ecs角色添加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
现在我得到了一个不同的错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::633157335118:assumed-role/ecsTaskExecutionRole/9620073221dc4c118ee500f2834898ce is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME
在将AmazonSSMFullAccess策略附加到ecs角色后,我能够解决问题