我正在AWS Fargate中运行一个使用SecretsManager的SpringBoot应用程序。这是我作为凭证提供商向AWS SDK提供的内容:
public class ProfiledCredentialsProvider extends AWSCredentialsProviderChain {
public ProfiledCredentialsProvider(@Nullable final String profile) {
super(new DefaultAWSCredentialsProviderChain(), new EC2ContainerCredentialsProviderWrapper(),
new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(),
StringUtils.isBlank(profile) ? new ProfileCredentialsProvider()
: new ProfileCredentialsProvider(profile));
this.setReuseLastProvider(true);
}
}
这使我可以使用替代的AWS配置文件在本地运行此应用程序。当我在法盖特运行这个应用程序时,我会得到以下堆栈:
com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [com.amazonaws.auth.DefaultAWSCredentialsProviderChain@3439f68d: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@1cab0bfb: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@140e5a13: Failed to connect to service endpoint: ], com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@dbd940d: Failed to connect to service endpoint: , EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@71d15f18: profile file cannot be null]
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ~[aws-java-sdk-core-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.doInvoke(AWSSecretsManagerClient.java:2634) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2601) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2590) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.executeGetSecretValue(AWSSecretsManagerClient.java:1213) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.getSecretValue(AWSSecretsManagerClient.java:1184) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
这是我的task-definition.json:的摘录
{
"family": "transfer-services-api",
"executionRoleArn": "arn:aws:iam::************:role/ecs-task-execution-role"
"requiresCompatibilities": [
"FARGATE"
]
}
在"信任关系"中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
以及附加的策略CCD_ 2(未设置许可边界(。任何帮助都将是伟大的,谢谢。
您需要分配一个任务角色。执行角色是让ECS访问ECR和SecretsManager等资源,以执行您的ECS任务。任务角色使您的任务的代码能够访问其他AWS资源。请参阅此处的文档。